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Preface 



This volume contains the proceedings of the l^th International Conference on 
Rewriting Techniques and Applications (RTA2003). It was held June 9-11, 2003 
in Valencia, Spain, as part of RDP, the Federated Conference on Rewriting, De- 
duction and Programming, together with the International Conference on Typed 
Lambda Calculi and Applications (TLCA2003), the International Workshop 
on First-order Theorem Proving (FTP 2003), the annual meeting of the IFIP 
Working Group 1.6 on Term Rewriting, the International Workshop on Rule- 
Based Programming (RULE 2003), the International Workshop on Unification 
(UNIF2003), the International Workshop on Functional and (Constraint) Logic 
Programming (WFLP2003), the International Workshop on Reduction Strate- 
gies in Rewriting and Programming (WRS2003), and the International Work- 
shop on Termination (WST2003). 

RTA is the major forum for the presentation of research on all aspects of rewrit- 
ing. Previous RTA conferences were held in Dijon (1985), Bordeaux (1987), 
Chapel Hill (1989), Como (1991), Montreal (1993), Kaiserslautern (1995), New 
Brunswick, NJ (1996), Sitges, Barcelona (1997), Tsukuba (1998), Trento (1999), 
Norwich (2000), Utrecht (2001), and Copenhagen (2002). 

This year, there were 61 submissions of which 57 regular research papers and 4 
system descriptions, with authors from institutions in France (19.6 authors of 
submitted papers, of which 11.3 were accepted), USA (6.5 of 9), UK (3.5 of 4.5), 
Japan (3of6), Germany (2.5 of 4), The Netherlands (2.2 of 5.2), Spain (1.5 of 4), 
Austria (1 of 1), Israel (0.5 of 2.5), Portugal (0 of 1), Algeria (0 of 1), Denmark 
(0 of 1), Canada (0 of 1), Brazil (0 of 0.6), and Poland (0 of 0.5). 

Each submission was assigned to at least four program committee members, 
who carefully reviewed the papers, in many cases with the help of one or more 
of a total number of 95 external referees. The merits of the submissions were 
discussed by the program committee during one week through the Internet by 
means of the PC Expert system. Finally, the program committee selected for 
publication 26 regular research papers and 6 system descriptions (where 3 of the 
latter ones had been submitted as regular research papers). 

The program committee decided to award the 1000 Euro best paper prize as fol- 
lows. One half was awarded to two research papers (250 Euro each): On the Com- 
plexity of Higher-Order Matching in the Linear X-Calculus, by Sylvain Salvati 
and Philippe de Groote, and XML Schema, Tree Logic and Sheaves Automata, 
by Silvano Dal Zilio and Denis Lugiez. The other half, 500 Euro, was awarded 
to Nao Hirokawa and Aart Middeldorp, for their system description Tsukuba 
Termination Tool, a new automated termination prover for rewrite systems. 

In addition, at RTA 2003 there were invited talks by David McAllester, A Log- 
ical Algorithm for ML Type Inference (a joint invited talk with TLCA), Pat 
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Lincoln, Symbolic Systems Biology, and Jean-Louis Giavitto, Topological Collec- 
tions, Transformations and their Application to the Modeling and the Simulation 
of Dynamical Systems. 

Many people helped to make RTA2003 a success. I am of course grateful to the 
members of the program committee and to the external reviewers, as well as to 
the local organizers and the sponsors. 

Special thanks go to Andrei Voronkov, who included into his PC Expert 
software (in real time) many new features which improved the quality of the 
reviewing process, like the extremely good interface for discussion, or the com- 
plete hiding of information to PC members with conflicts of interest; for me, it 
also eliminated most administrative work related to paper assignment, author 
notification, automated creation of lists of referees, etc. 

Finally, I thank the organizers of all co-located events at RDP 2003, which 
made RTA 2003 even more interesting and attractive to a larger audience, and 
among them, of course, Salva Lucas: when I suggested hosting RTA in Valencia, 
his enthusiasm was such that he ended up organizing a major event like RDP. 
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Symbolic Systems Biology 



Patrick Lincoln 

SRI International 
Computer Science Laboratory 



Technological breakthroughs have enabled complete genomic sequencing and 
proteomic study of many species, fueling exponential growth in the available 
biological data relevant to important biological functions. The computational 
analysis of these datasets has been hampered by many structural and scientific 
barriers. The application of symbolic toolsets borrowed from the term rewriting 
and formal methods communities may help accelerate biologists understanding 
of network effects in complex biochemical systems of interest. 

Unlike traditional biology that has focussed on single genes or proteins in 
isolation, systems biology is concerned with the study of complex interactions 
of DNA, RNA, proteins, information pathways, to understand how they work 
together to achieve some effect. Most systems biology research has focussed 
on stochastic or differential equation models of biological systems, but lack of 
knowledge of crucial rate constants reduces the utility of these approaches. 

Symbolic Systems Biology, the application of highly automated symbolic 
tools such as multiset rewriting engines, model checkers, decision procedures, 
and SAT solvers to systems biology, attempts to leverage what is already known 
about biochemical systems to accelerate biological understanding. We have de- 
veloped a toolset called Pathway Logic based on Maude and other symbolic tools, 
and applied it to signaling and metabolic pathway analysis. Pathway Logic builds 
on efficient pathway interaction data curation, and enables animation of com- 
plex pathway interactions, and in-silico gene knockout experiments. We have 
also developed methods to automatically analyze “inherently continuous” or hy- 
brid continuous- discrete systems, creating completely symbolic representations 
which enable extremely efficient analysis of certain types of questions. By con- 
structing an algebra and logic of signaling pathways and creating biologically 
plausible abstractions, the goal of Symbolic Systems Biology is to provide the 
foundation for the application of high-powered tools which can facilitate human 
understanding of complex biological signaling networks, such as multi-cellular 
signaling, bacterial metabolism and spore formation, mammalian cell cycle con- 
trol, and synthetic biological circuits. 

These tools will be connected to publicly available datasources and toolsets 
including the BioSPICE platform (available through biospice.org) which provides 
an interoperable service architecture for integrating model builders, simulators, 
experimental data repositories, and various analyzers. 
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Gilles Dowek 
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Abstract. The goal of this note is to compare two notions, one coming 
from the theory of rewrite systems and the other from proof theory: 
confluence and cut elimination. We show that to each rewrite system on 
terms, we can associate a logical system: asymmetric deduction modulo 
this rewrite system and that the confluence property of the rewrite system 
is equivalent to the cut elimination property of the associated logical 
system. This equivalence, however, does not extend to rewrite systems 
directly rewriting atomic propositions. 



The goal of this note is to compare two notions, one coming from the theory of 
rewrite systems and the other from proof theory: confluence and cut elimination. 

The confluence a rewrite system permits to reduce the search space when we 
want to establish that two terms are convertible. Similarly, the cut elimination 
property of a logical system permits to reduce the search space, when we want 
to establish that some proposition is provable. 

Moreover, both properties can be used to prove the decidability of convertibil- 
ity or provability, when this reduction yields a finite search space. Finally, both 
properties can be used to prove independence results (i.e. that two terms are not 
convertible or that a proposition is not provable), and in particular consistency 
results, when this reduction yields an empty search space. 

The goal of this note is to show that this similarity between confluence and 
cut elimination can be seen as a consequence of the fact that to each rewrite 
system TZ rewriting terms, we can associate a logical system: asymmetric deduc- 
tion modulo TZ, a variant of deduction modulo introduced in [5], and that the 
confluence property of the rewrite system is equivalent to the cut elimination 
property of the associated logical system. More precisely, we establish a parallel 
between 

— an equality t = u and a sequent P{t) F P{u), 

— the notion of conversion sequence and that of proof, 

— the notion of peak and that of cut, and 

— the notion of valley sequence and that of cut free proof. 

Both valley sequences and cut free proofs may be called analytic as they 
exploit the information present in their conclusion and its sub-parts but no 
other information. 
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Finally, we relate a method used to prove cut elimination by defining an 
algorithm transforming proofs step by step until all cuts are removed (see, for 
instance, [8]) and a method used to prove confluence by defining an algorithm 
transforming rewrite sequences step by step until all peaks are removed (see, for 
instance, [2,9,1]). As an example, we reformulate Newman’s confluence theorem 
[9] as a cut elimination theorem. 

Asymmetric deduction modulo can be extended by allowing not only rules 
rewriting terms in propositions, but also directly atomic propositions. With such 
rules, confluence and cut elimination do not coincide anymore and confluence is 
not a sufficient analyticity condition: it must be replaced by cut elimination. 



1 Asymmetric Deduction Modulo 



In deduction modulo [5], the notions of language, term and proposition are that 
of first-order predicate logic. But a theory is formed with a set of axioms F and 
a congruence = defined on propositions. Deduction rules are modified to take 
this congruence into account. For instance, the right rule of conjunction is not 
stated as usual 

A FA, A rV-B,A 

TVaXi^ 

as the conclusion need not be exactly AAB but may be only convertible to this 
proposition, hence it is stated 



A FA, A F'rB.A, 



TF C,A 



iiC = AAB 



All rules of sequent calculus, or natural deduction, may be defined in a similar 
way. 

In this note, we consider only congruences defined by a rewrite system on 
terms. A rewrite rule is a pair of terms {I, r), written I -A r, such that I is not a 
variable. A rewrite system is a set of rules. Given such a system, the relation — 
is the smallest relation defined on terms and on propositions compatible with 
the structure of terms and propositions such that for all substitutions 6 and all 
rewrite rules ? — >■ r of the rewrite system 91 — 9r. The relation — >■+ is the 
transitive closure of — the relation — >■* is its reflexive-transitive closure and 
the relation = its refiexive-symmetric-transitive closure. Notice that rewriting 
does not change the logical structure of a proposition, in particular an atomic 
proposition only rewrites to an atomic proposition. 

A conversion sequence is a finite sequence of terms or propositions Ci, ..., C„ 
such that for each i either Ci — Ci+i or Ci Ci+i. Obviously two terms or 
two propositions A and B are convertible if there is a conversion sequence whose 
first element is A and last element is B. A peak in such a sequence is an index 
i such that Ci-\ Ci — Q+i. A sequence is called a valley sequence if it 
contains no peak, i.e. if it has the form A — ... — ... B. 

For example, in arithmetic, we can define a congruence with the following 
rules 



Q + y^y 




4 



Gilles Dowek 



5'(x) + y ->■ 5'(x + p) 

0 X y -)> 0 

S(x) xy->-xxy + y 

In the theory formed with the axiom Vx x = x and this congruence, we can 
prove, in sequent calculus modulo, that the number 4 is even 



4=4h2x2=4 



Axiom 



Va;a: = xl-2x2 = 4^' 
'ix x = x\- 3x 2 X X = 4: 



{x,x = x,4) V-left 
— (x, 2 X cc = 4, 2) 3-right 



The sequent 4 = 4h2x2 = 4, that requires a tedious proof in usual formulations 
of arithmetic, can simply be proved with the axiom rule here, as (4 = 4) = 
(2 X 2 = 4). 

Deduction modulo a congruence defined by a rewrite system on terms uses 
this rewrite system only through the congruence it generates. The way these 
congruences are established is not taken into consideration. Thus, cut free proofs 
are analytic in the sense that they do not use the cut rule but not in the sense 
they establish congruences with valley sequences. Hence, we introduce a weaker 
system, asymmetric deduction modulo, where propositions can only be reduced. 
The rules of asymmetric sequent calculus modulo are given in figure 1. 



2 Cut Elimination 

in Atomic Symmetric Deduction Modulo 

We first consider a fragment of symmetric deduction modulo where all proposi- 
tions are atomic. This system contains only the axiom rule, the cut rule and the 
structural rules (weakening and contraction). 

To relate proofs in atomic deduction modulo and rewrite sequences, we prove 
that the sequent P{t) h P{u) is provable in atomic deduction modulo if and only 
if t = u. This is a direct consequence of the following proposition. 

Proposition 1. In atomic deduction modulo, the sequent P A is provable if 
and only if P contains a proposition A and A a proposition B such that A = B. 

Proof. If r contains a proposition A and A a proposition B such that A = B, 
then the sequent P \- A can be proved with the axiom rule. 

Conversely, we prove by induction over proof structure that if the sequent 
T h Z\ is provable, then P contains a proposition A and A a proposition B such 
that A = B. 

This is obvious if the last rule of the proof is the axiom rule. If the last rule 
is a structural rule, we simply apply the induction hypothesis. Finally, if the last 
rule is the cut rule, then the proof has the form 

7Ti 7T2 

rhCi,A p,C2^a ^ 
r\- A 
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Fig. 1. Asymmetric sequent calculus modulo 



With Cl = C 2 . By induction hypothesis 

— r and A contain two convertible propositions or F contains a proposition 
convertible to Ci, 

— r and A contain two convertible propositions or A contains a proposition 
convertible to € 2 - 

Thus, in all cases, F and A contain two convertible propositions. 

The next proposition shows that atomic deduction modulo has the cut elimi- 
nation property, i.e. that all provable sequents have a cut free proof. It is known, 
in general, that deduction modulo a congruence defined by a rewrite system on 
terms has the cut elimination property [6], but for the case of atomic deduction 
modulo, this is a direct consequence of proposition 1. 
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Proposition 2. In atomic deduction modulo, all provable sequents have a cut 
free proof. 

Proof. If a sequent P h Z\ is provable then, by proposition 1, P and A contain 
two convertible propositions and thus the sequent P \- A can be proved with the 
axiom rule. 

We can also define a proof reduction algorithm that reduces cuts step by 
step. 

Definition 1 (Proof reduction). 

Consider a proof of the form 



7Tl 

r^c,,A 

P^ A 



7T2 



P,C2^ A 



Cut 



where tti and 7T2 are cut free proofs. 

The multisets P and C\,A contain two convertible propositions. Similarly, 
P, C 2 and A contain two convertible propositions. Thus, 

— P and A contain two convertible propositions or P contains a proposition 
convertible to Ci, 

— P and A contain two convertible propositions or A contains a proposition 
convertible to C 2 . 

Thus, as C\ = C 2 , P and A contain two convertible propositions in all cases 
and this proof reduces to 

p ^ Axiom 

When a proof contains a cut, the proofs of the premises of the highest cut 
are obviously cut free and this proof reduction algorithm applies. It terminates 
because it removes a cut at each step. Thus, it produces a cut free proof after a 
finite number of steps. 

3 Cut Elimination 

in Atomic Asymmetric Deduction Modulo 

Let us now turn to asymmetric deduction modulo, still in the atomic case. We 
prove that in asymmetric atomic deduction modulo, a sequent P(t) h P{u) is 
provable if and only ii t = u and that this sequent has a cut free proof if and 
only if t and u have a common reduct. Thus, proofs in asymmetric deduction 
modulo correspond to rewrite sequences and cut free proofs to valley sequences. 

Proposition 3. In asymmetric atomic deduction modulo, the sequent P \- A is 
provable if and only if P contains a proposition A and A a proposition B such 
that A = B. 
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Proof. Obviously, if the sequent 7^ h Z\ is provable in asymmetric deduction 
modulo, then it is provable in symmetric deduction modulo and P and A contain 
two convertible propositions. 

The converse is slightly more difficult than in the symmetric case because the 
axiom rule does not apply directly. Assume there are propositions A in T and 
B in A such that A = B. Then there is a rewrite sequence A = Ci, ...,Cn = B 
joining A and B. We prove, by induction on the number of peaks in this sequence 
that the sequent F \- A is provable. 

If the sequence contains no peak, then A and B have a common reduct and 
the sequent F \- A can be proved with the axiom rule. Otherwise, there is a 
peak i in this sequence. The sequences Ci,...,Ci and Ci,...,Cn contain fewer 
peaks than C'i,...,C'„, thus, by induction hypothesis, the sequents F \- Ci, A 
and r,Ci\- A have proofs tti and tt 2 ■ We build the proof 



7Ti 7T2 



rhC„A F,CihA 
Fh A 



(Q) Cut 



Proposition 4. In asymmetric deduction modulo, the sequent F \- A has a cut 
free proof if and only F contains a proposition A and A a proposition B such 
that A and B have a common reduct. 

Proof. If F contains a proposition A and A a proposition B such that A and B 
have a common reduct, then the sequent F \- A can be proved with the axiom 
rule. Conversely, if the sequent F \~ A has a cut free proof, we prove, by induction 
over proof structure, that F contains a proposition A and A a proposition B 
such that A and B have a common reduct. This is obvious if the last rule is an 
axiom rule. If the last rule is a structural rule, we apply the induction hypothesis. 

We can now state our main proposition that relates confluence and cut elim- 
ination. 

Proposition 5 (Main proposition). The cut rule is redundant in asymmetric 
atomic deduction modulo a rewrite system if and only if this rewrite system is 
confluent. 

Proof. Assume that the rewrite system is confluent. If the sequent T h Z\ is 
provable then, by proposition 3, F and A contain two convertible propositions. 
By confluence, they have a common reduct and thus, by proposition 4, the 
sequent F \- A has a cut free proof. 

Conversely, assume that the cut rule is redundant, li A = B (resp. t = u) 
then by proposition 3, the sequent A\- B (resp. P{t) h P{u)) is provable, thus 
it has a cut free proof and, by proposition 4, A and B (resp. t and u) have a 
common reduct. 
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4 Proof Reduction 

Like in the symmetric case (definition 1) we want to design an algorithm reduc- 
ing proofs and eliminating cuts step by step. In the asymmetric case however 
this algorithm is a little more involved as it needs to perform shorter steps to 
reconstruct reductions instead of conversions. This algorithm is a reformulation 
in sequent calculus of Newman’s algorithm that reduces rewrite sequences elim- 
inating peaks, step by step. To define it, we need to use the local confluence of 
the rewrite system and, to prove its termination, the termination of the system. 

Definition 2 (Proof rednction). Consider a proof of the form 



7Tl 

r^c\,A 

rh A 



7T2 



r,C2^ A 



(C) Cut 



where tti and 7T2 are cut free proofs. 

As 7Ti is cut free, F, C\ and A contain two propositions that have a common 
reduct. Similarly, F and C 2 ,A contain two propositions that have a common 
reduct. 

If F and A contain two propositions that have a common reduct C , then this 
proof reduces to 

(C*') A^'i-om 

Otherwise, F contains a proposition A that has a common reduct B with C\ and 
A contains a proposition E that has a common reduct D with C 2 . Let us write 
F = F' , A and A = E, A' . We have 

ACE 




B D 



If B = C or C = D then either D or B is a common reduct of A and E and 
this proof reduces to 

^ ^ {D) Axiom 

or to 

(B) Axiom 

Otherwise we have B C — >■+ D and there are propositions C[ and C '2 such 

that 




B D 
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If there is a proposition C such that C[ — >■* C C'2, then we have 




and this proof reduces to 



r' C[,C'2,E,A 



7 {B) Axiom 



r',A,C[^C’2,E,A’ 



r',A^C2,E,A 



{C) 

{C[] 



Axiom 
Cut 



r',A,C'2^E,A 



r',A e,A 

otherwise this proof cannot he reduced. 



(D) Axiom 
{C'2) Cut 



Example 1 . This proof reduction algorithm may fail. Consider the rewrite system 

a — i b a — i b 

There is no way to reduce the proof 



P{b)h P{a),P{b') 



{P{b)) Axiom 
P{b) h P{b') 



P{b),P{a)h P{b') 



{P{b')) Axiom 
(P(a)) Cut 



But this situation cannot occur if the rewrite system is locally confluent. 



Proposition 6. If the rewrite system is locally confluent, then the proof reduc- 
tion algorithm of definition 2 does not fail. 

Proof. If C7 C — C'2 then, by local confluence, there is a proposition C 
such that C; C C'2. 



Example 2 . The proof reduction algorithm of definition 2 may loop. Consider 
the rewrite system 

a ^ b a ^ c b ^ a b ^ d 



Let A be the proposition P(a), B be the proposition P{h), C be the proposition 
P{c) and D be the proposition P{d). We write Z?” for the proposition D repeated 
n times. The proof 



ChA.D.D" “““ 

Ch £>,£>" 






{D) Axiom 
(A) Cut 



reduces to 



ChC,B,D,D' 



(C) Axiom 



C,Ch B,D,D' 



C h B,D,D'^ 



(C) Axiom 
(C) Cut 



C,B\- D, 



(D) Axiom 
(B) Cut 



C\~ D,D" 
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that reduces to 



C h B,D,D^ 



(C) Axiom 
Ch D,D^ 



C^B'r D, D^‘ 



(D) Axiom 
(B) Cut 



that reduces to 



C\- A, D,D,D' 



(C) Axiom 



C,Ah D,D,D^ 



C h D,D,D^ 



(D) Axiom 
(A) Cut 



C,D\- D, D" 



Ch 



{D) Axiom 
\ d ) Cut 



that contains the initial proof (for n + 1) as a sub-proof. The proof reduction 
algorithm loops on this proof, replacing a cut on the proposition A by one on 
the proposition B and vice versa. 



But this situation cannot occur if the rewrite system is terminating. 

Proposition 7. If the rewrite system is terminating then the proof reduction 
algorithm of definition 2 is terminating. 

Proof. As the rewrite system is terminating, its reduction ordering is well-founded 
and thus so is the multiset extension of this ordering. 

At each step, the algorithm of definition 2 replaces a cut with the cut propo- 
sition C by two cuts with the cut propositions C[ and C 2 where C — and 
C — C' 2 . Thus, the multiset of cut propositions in the proof decreases for the 
multiset extension of the reduction ordering of the rewrite system. Therefore, 
the proof reduction algorithm terminates. 

Corollary 1. If a rewrite system is locally confluent and terminating then the 
proof reduction algorithm of definition 2 always succeeds. 



Corollary 2. If a rewrite system is locally confluent and terminating then asym- 
metric deduction modulo this rewrite system has the cut elimination property. 

Corollary 3 (Newman’s theorem [9]). If a rewrite system is locally conflu- 
ent and terminating then it is confluent. 



Remark 1 . We have seen that confluence is equivalent to cut elimination and that 
local confluence and termination imply normalization (i.e. termination of the 
proof reduction algorithm) and hence cut elimination. But notice that confluence 
alone does not imply normalization. Indeed, if we add to the rewrite system of 
example 2 the rules c — >■ e and d — >■ e, we obtain confluence and thus cut 
elimination, but the counterexample to normalization still holds. We obtain this 
way an example of system that has the cut elimination property, but not the 
normalization property. Hence, in asymmetric deduction modulo, normalization 
is a stronger property than cut elimination. 

In [9] , Newman proves more than confluence (cut elimination) for terminating 
locally confluent rewrite systems, as he proves normalization, i.e. the termination 
of an algorithm that reduces peaks step by step in conversion sequences. 
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5 Cut Elimination in Full Asymmetric Deduction Modulo 

We consider now full asymmetric deduction modulo, and we prove that cut 
elimination is still equivalent to the confluence of the rewrite system. 

Proposition 8. The cut rule is redundant in asymmetric deduction modulo a 
rewrite system if and only if this rewrite system is confluent. 

Proof. The fact that cut elimination implies confluence is easy as cut elimination 
implies cut elimination for the atomic case and hence confluence. 

To prove that confluence implies cut elimination, we have to extend the proof 
of proposition 5 to the non atomic case. 

Without loss of generality, we can restrict to proofs where the axiom rule is 
used on atomic propositions only. 

We follow the cut elimination proof of [8] . When we have a proof containing 
a cut 

r,Ci\- A r \- C2, A , ^ ^ 

^ — (C) Cut Cl C -)>* C2 

then we show that from tti and 7T2, we can reconstruct a proof of T h Z\ introduc- 
ing cuts on smaller propositions than C (i.e. propositions with fewer connectors 
and quantifiers). 

More generally, we prove, by induction on the structure of tti and 7T2, that 
from a proof tti of T, Ci h Z\ and 7T2 of T h C 2 , A, where Ci and C2 are multisets 
of reducts of some proposition C, we can reconstruct a proof P \- A. Notice that, 
as the rewrite system rewrites terms only, rewriting does not change the logical 
structure of a proposition (i.e. an atomic proposition only rewrites to an atomic 
proposition, a conjunction to a conjunction, ...) 

There are several cases to consider. 

— If the last rule of tti or the last rule of 7T2 is a structural rule, then we apply 
the induction hypothesis. 

— If the last rule of tti or the last rule of 7T2 is a logical rule on a proposition 
in r or A, then we apply the induction hypothesis. 

— If the last rule of tti or the last rule of 7T2 is an axiom rule on propositions 
in r and A, then T and A contain two propositions that have a common 
reduct C and we take the proof 



YVA 

— The key case in the proof of [8] is when both tti and 7T2 end with a logical 
rule on a proposition in Ci and C 2 . For instance, if C has the form A A B, 
Ai A Bi A A B -A* A 2 A B 2 and the proofs tti and 7T2 have the form 

Pi 

r,A'^,B[h A 
r.AiABi'r A 



A-left 
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with Ai A Bi — 1* A[ A B[ and 



P2 



BhA'^,A 



r h A2 A B2, A 



P3 

Bh B!2,A ^ ^ 

A-right 



with A2 A B2 — >■* A'2 t\ B'2- 

In this case, we have A'^ A B[ Ai A i?i A A B — >■* A2 A B2 —1* A2AB2, 

thus Al']^ aI —>■’*' AI2 and B[ i? — 1* i?2 and we reconstruct the proof 



Pi 

r,B[,A\h A 



P2 

r h a'2,z\ 

r,B[^A'2,A 



r,B['^ A 



weak-left 
(A) Cut 



P3 



r'r A 



(B) Cut 



The case of the other connectors and quantifiers is similar. 

— The new case in asymmetric deduction modulo is when the last rule of both 
proofs is an axiom rule involving a proposition in (7i and C2. Notice that 
the proposition C is atomic in this case, as we have restricted the Axiom 
rule to apply on atomic propositions only. Thus, B contains a proposition A 
that has a common reduct B with C\ in Ci and A contains a proposition E 
that has a common reduct D with C2 in C2. We have 

ACE 




B D 



This is the case where we use confluence to obtain that A and E have a 
common reduct C and we take the proof 



(C") Axiom 

Remark 2. This proof suggests a cut elimination algorithm that integrates the 
cut elimination algorithm of sequent calculus and Newman’s algorithm: it be- 
haves like the latter for atomic cuts and like the former for non atomic ones. 
Again, we need the termination of the rewrite system to prove the termination 
of this cut elimination algorithm. 



Remark 3. If we consider now rules directly rewriting atomic propositions to 
non atomic ones: for instance a rule like A ^ B A -'A then confluence [3,6], 
and even confluence and termination [7], do not imply cut elimination anymore. 
Some propositions have proofs using the cut rule but no cut free proof. 

In this case, confluence is not a sufficient analyticity condition anymore. As 
a consequence, with term rewrite systems, confluence is a sufficient condition 
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for the completeness of proof search methods, such as equational resolution (i.e. 
resolution where some equational axioms are dropped and unification is replaced 
by equational unification), but with proposition rewrite systems, confluence is 
not a sufficient condition for the completeness of resolution modulo and this 
condition must be replaced by cut elimination (see [4] for a discussion on this 
point). 

Conclusion 

When a congruence is defined by a term rewrite system, the confluence of this 
rewrite system and the cut elimination property for asymmetric deduction mod- 
ulo this system coincide and analyticity can be defined either using one property 
of the other. 

When the rewrite system is also terminating, then asymmetric deduction 
modulo not only verifies cut elimination, but also normalization. 

But when a congruence is defined by rules directly rewriting atomic propo- 
sitions, confluence is not a sufficient analyticity condition anymore and must be 
replaced by cut elimination. 
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Abstract. We introduce a novel representation for associative-commu- 
tative (AC) terms which, for certain important classes of rewrite rules, 
allows both the AC matching and the AC renormalization steps to be 
accomplished using time and space that is logarithmic in the size of 
the flattened AC argument lists involved. This novel representation can 
be cumbersome for other, more general algorithms and manipulations. 
Hence, we describe machine efficient techniques for converting to and 
from a more conventional representation together with a heuristic for de- 
ciding at runtime when to convert a term to the new representation. We 
sketch how our approach can be generalized to order-sorted AC rewrit- 
ing and to other equational theories. We also present some experimental 
results using the Maude 2 interpreter. 



1 Introduction 

Rewriting modulo associative and commutative theories, otherwise known as AC 
rewriting, is a key operation in a number of languages [8,4,5,14] and theorem 
provers [12,21] employing term rewriting. In general, AC congruence classes are 
too large to be represented explicitly and so unique representatives, called AC 
normal forms or AC canonical forms are used. These are typically generated by 
replacing nested occurrences of the same AC operator by a flattened argument 
list under a variadic symbol, sorting these arguments under some linear ordering 
and combining equal arguments using multiplicity superscripts. For example the 
congruence class containing 

fiP, a)), /(/(t, P),P)) 

where / is an AC symbol and subterms a, ft and 7 belong to alien theories might 
represented by 

r(«^/3^7) 

where /* is a variadic symbol that replaces nested occurrences of /. A more 
formal account of this transformation is given in [9] . Of course the linear ordering 
on terms used to sort the argument list must be extended to these AC normal 
forms. The multiset ordering has pleasant theoretical properties and is often 
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used for this purpose, though as we will see later, it is seldom the best ordering 
for a practical implementation. 

AC rewriting proceeds by using a special form of matching called AC match- 
ing on these AC normal forms (with some handling of extension, should an AC 
operator occur on top of the subterm being rewritten). Following the replace- 
ment step, the resulting term is generally not in AC normal form and must be 
renormalized before another AC rewrite step can be performed. 

The problem of deciding whether an AC match exists is known to be NP- 
complete [3] and remains NP-complete even in the elementary case [11] where 
there is only a single AC operator with variables and constants. Nevertheless, 
instances that occur in practice tend not to be pathological and a variety of 
practical matching algorithms have been designed. There are really two cases 
that algorithms are designed for. 

The first is the general case where arbitrary nonlinearity is allowed. This 
case tends to arise in theorem proving applications. Algorithms are generally 
search based, and use several techniques to collapse the search space, such as 
constraint propagation on nonlinear variables [15], recursive decomposition into 
subproblems via bipartite graphs [9], ordering matching subproblems based on 
constraint propagation considerations [10] and Diophantine techniques [11]. 

The second case is where there is little or no nonlinearity and the pattern 
falls into one of several forms for which efficient algorithms can be designed. This 
situation tends to arise when programming with AC rewrite rules. Examples are 
the depth-bounded patterns in the many-to-one matching algorithm used by 
ELAN [22,20] and the greedy matching techniques adopted in Maude. Here a 
full AC matching algorithm of the first kind is needed as a fallback for when the 
specialized approaches fail to apply. 

In recent years these has been much progress in improving the performance of 
AC rewriting implementations as evidenced by the CafeOBJ/Brute [17], ELAN 
[4] and Maude [5] systems. Nevertheless, even in the best case, all published algo- 
rithms for AC matching (supposing a successful match) and AC renormalization 
require the examination of all of the arguments in the flattened AC argument 
lists involved. Thus processing the elements of a set or multiset using AC rewrit- 
ing will require at least quadratic time as each rewrite step will need at least 
linear time. This fact is a major hurdle in achieving the goal stated in [20] of 
promoting AC rewriting to a general purpose programming construct. 

In this paper we introduce a new representation for terms in AC normal 
form and identify a broad class of AC patterns for which a single matching sub- 
stitution can be computed in time logarithmic in the size of the AC argument 
list. Furthermore we identify an important class of righthand side replacement 
terms for which the AC renormalization step can also be accomplished in time 
logarithmic in the size of the AC argument list. Thus with some care about 
reduction strategy and the maintenance of reduced flags there is a very useful 
class of AC rewrite rules that can be executed in logarithmic time. We also ex- 
amine a number of refinements to improve the performance of the basic method 
and sketch how it can be generalized to handle order-sorted rewriting. We also 
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sketch how our general approach can be adapted to other equational theories. 
Because our novel AC representation can be cumbersome for more general algo- 
rithms and manipulations we discuss machine efficient techniques for converting 
between representations. To demonstrate the practicality of our approach we 
give the results of some initial experiments performed using various versions of 
the Maude 2 interpreter. 

1.1 A Motivating Example 

Maps, or associative arrays as they are sometimes called in programming, are a 
very useful data structure that generalize arrays. Consider the Maude 2 speci- 
fication of the map data type shown in Figure 1. A more elegant specification 
could be given using an order-sorted signature and an identity but for clarity of 
exposition we will confine our discussion to the most basic language features. 

The data type Map is formed from three constructors, one of which is declared 
to be AC. There are two defined operations, one of which creates a new map 
by inserting a new domain-range pair into an existing map and the other which 
looks for a domain-range pair having a given domain value in an existing map 
and returns the range value or the constant undefined if no such pair exists. 
Note that the last defining equation for each of these operations has the owise 
attribute, indicating that the equation should only be used if no regular equation 
applies. 

Consider the equations defining the insert operation. The first two are for the 
basis cases, contain only free function symbols and could reasonably be expected 
to execute in constant time on any modern implementation of term rewriting. 
The same cannot be said for the third equation. In the case that a match is 
found, the substitution for M will consist of all but one of the domain-range 
pairs underneath the variadic AC symbol. Using a traditional representation 
of AC argument lists, construction of this substitution will take linear time. 
A similar situation occurs with the second defining equation for the look-up 
operation. This contrasts with the 0(log(n)) time insert and look-up operations 
of the map class template in the C-I--I- Standard Template Library or the TreeMap 
class in Java. 

2 Basic Approach 

We just consider the simple case of matching where we have a pattern term p 
containing variables and a subject term s which is ground. We wish to decide 
if there is a matching substitution a such that pa = s, and if there is, compute 
a single such a. We do not consider the generation of multiple substitutions, as 
would be needed to handle conditional equations. 

We make the assumption that the same pattern p will be used many times 
and so we allow arbitrary preprocessing and analysis to be done on p before 
using it for matching. 

Matching is inherently recursive and is performed by recursive decomposition 
into matching subproblems between the subterms of p and the subterms of s. 
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fmod MAP is 

sorts Domain Range Map . 

op undefined : -> Range . 

op empty : -> Map . 

op _ I ->_ : Domain Range -> Map . 

op _>_ : Map Map -> Map [assoc comm] . 

var D : Domain . vars R R’ : Range . var M : Map . 



*** insertion 

op insert : Domain Range Map -> Map . 
eq insert (D, R, empty) = (D |-> R) . 

eq insert(D, R, D |-> R’) = (D I -> R) . 

eq insert(D, R, (M, D I -> R’)) = (M, D |- 

eq insert(D, R, M) = (M, D I -> R) [owise’ 



■> R) 



*** look-up 

op _ [_] : Map Domain -> Range . 

eq (D I -> R) [D] = R . 
eq (M, D I -> R) [D] = R . 
eq M[D] = undefined [owise] . 
endfm 

Fig. 1. Maude 2 specification for the map data type. 



Solving matching subproblems where the subterms are headed by the same free 
function symbol is straightforward. We focus on solving matching subproblems 
where the subterms are headed by the same AC function symbol /*. 



2.1 Returning “Undecided” 

The idea is that our fast algorithm will solve the easy problem instances ef- 
ficiently while leaving harder problem instances to a slower general purpose 
matching algorithm. Ideally we would be able to make the decision which algo- 
rithm to use before runtime, simply from an analysis of the pattern. 

Unfortunately, if we adopt this approach, the class of patterns we can handle 
using the fast algorithm will be quite restricted. Our experience with the greedy 
matching algorithms used in the Maude 1 interpreter is that it is beneficial to 
handle a larger class of patterns with a fast algorithm, where the fast algorithm 
has the option of returning “undecided” if the matching problem turns out to be 
too hard (generally because of bindings to nonlinear variables that were unknown 
at analysis time) when the matching is attempted. When this happens, the time 
spent in the fast matching algorithm is wasted, and the slower general purpose 
algorithm must be run. 

Of course we must be careful in selecting the class of patterns we will handle 
in the fast algorithm, to ensure that the “undecided” case is atypical, and that 
the time wasted in the fast algorithm when it does occur is small compared to 
the cost of running the slow algorithm. 
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2.2 Stripper- Collector Matching 

We now describe our main algorithm, which we refer to as stripper- collector 
matching. Consider an AC matching subproblem 

where subject subterms si,. . . ,Sm are ground. Since this is a subproblem we 
assume that matching may have taken place above and that some set of variables 
B has already been bound, yielding a partial substitution <f>. The goal of AC 
matching is to divide up the subject subterms Sj among the pattern subterms 
Pi and compute a substitution a consistent with (p such that if pi is assigned a 
single subject subterm Sj then piU = Sj and if pi is assigned multiple subject 
subterms sl\, sl\ then pia = f*(sl\ 

Our key idea is to represent the subject argument list \ . . . , using an 
efficient set data structure. Then we restrict the subpatterns pi that we will 
handle in such a way that we can compute a solution with pi, . . . ,Pn-i getting 
one subject each, while everything else is given to We refer to pi, . . . ,Pn-i 
as strippers since they have the effect of stripping single arguments from the 
argument list while we refer to p„ as the collector since is collects all the leftover 
arguments. 

Finding the assignments for each of the strippers, pi, ■ ■ . ,Pn-i, is done using 
0(log(m)) time searches of the set data structure while the assignment to the 
collector, p„ is computed using (n — 1) 0(log(m)) deletes from the set data 
structure. It is important that we choose assignments to strippers in such a way 
that should we fail at some stripper we know that there is no match and we do 
not have to backtrack and consider different assignments for earlier strippers. 
This leads to further restrictions on the subterms allowed for strippers and the 
order in which they must be handled. Pattern subterms with n > 2 tend to be 
fairly rare in programming applications so the in the most common case we will 
have n = 2 and we will need to do a single search followed by a single delete 
operation to compute a matching substitution. 

In practice, terms will be represented by directed acyclic graphs, otherwise 
rewrites with nonlinear righthand sides become unreasonably expensive since 
variable bindings would need to be copied rather than shared. Thus we cannot 
do destructive updates on our set data structures since in general they will 
be shared with other subterms. What we need in fact, is a data structure for 
persistent dynamic sets. 

2.3 Persistent Dynamic Sets 

Dynamic sets are usually implemented using one of several balanced binary tree 
data structures [2,1,24]. Insertion and deletion operations can be made persistent 
by not storing back pointers, allocating new nodes rather than modifying existing 
nodes and rebuilding the path from a modification back up to the root. 

For simplicity we use red-black trees with the particularly elegant persistent 
insertion algorithm due to Okasaki [23]. Deletion is a rather intricate operation 
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which closely follows the regular red-black tree deletion algorithm given in [7, 
Chapter 14]. One difference is that, because we are creating new nodes rather 
than manipulating existing nodes, it pays to combine multiple rotations and 
avoid creating nodes that are then immediately discarded by the next rotation. 
Expanding out the four rebalancing cases given in [7, Chapter 14] we arrive at 
six cases together with their left-right reflections. 

2.4 Augmenting the Data Structure 

We use the terms in the AC argument list as the keys in our red-black trees. 
In each node we also maintain the multiplicity of the argument, along with 
another data item called maximum multiplicity. For a given node N, this value 
is the maximum multiplicity of any node in the subtree rooted at N and can be 
computed incrementally in constant time. For a given multiplicity k, it allows 
us to decide in constant time whether a node with multiplicity greater or equal 
to k exists, and if it does, to locate such a node in logarithmic time. 

Insertion and deletion operations take a term and a multiplicity. In the case 
of an insertion of a term that already exists, rather than do a red-black tree 
insertion, we create a new node with an increased multiplicity and rebuild the 
path to the root. In the case of a deletion which does not remove all the multi- 
plicity of the victim, rather than do a red-black tree deletion, we create a new 
node with a decreased multiplicity and rebuild the path to the root. Thus we 
are really simulating a multiset. 

2.5 Partial Comparison 

The existing linear ordering on terms is fine for efficiently locating a given ground 
term in a red-black tree, and the maximum multiplicity field allows us to effi- 
ciently find a ground term with a multiplicity greater or equal to a given value. 
For efficiently locating potential matches for nonground terms we need another 
tool. For simplicity we assume that all symbols are either AC or free. A partial 
comparison function pc takes a partial substitution (f, a nonvariable, nonground 
term t and a ground term s and returns a result from the four element set 
{eq, lt,gt,f} such that the following the properties hold. 

— pc{(j), t, s) = eq implies that for every substitution cr consistent with (f, ta = s. 

— pc{(j), t, s) = gt implies that for every substitution cr consistent with </>, ta > s. 

— pc{4>, t, s) = It implies that for every substitution a consistent with (f>, ta < s. 

Note that a partial comparison function is allowed to return f everywhere. 

A partial comparison function pc is reasonable if whenever the top symbol 
of t differs from that of s, pc{(j>, t, s) is either gt or It. If t and s share the same 
free top symbol, and we use lexicographic ordering on arguments to linearly 
order terms with free symbols on top, we can do better. For example when <j) 
contains assignments for variables Xi , . . . , A„, and g is a free function symbol 
pc(</>, g{Xi , . . . , Xn),g{si , , . . . , Sm)) should never need to return f- 
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Let pc be a partial comparison function. Let t be a nonvariable, nonground 
term and let B be a set of variables. The pair {t, B) is said to be pc-complete iff 
for every partial substitution (j) that defines exactly the variables in B and every 
ground term s, pc{4>,t, s) = f implies that there is a substitution a compatible 
with (j) such that ta = s. For example if pc is reasonable, t = f*{X,Y) and 
{X,Y} n i? = 0 then the pair (t, B) is pc-complete since t will match any term 
with an /* on top. 

Constructing a good partial comparison function depends on the term order- 
ing chosen. From now on we will assume the existence of a reasonable partial 
comparison function pc. 

2.6 Allowable Subpatterns 

We now consider what class of subpatterns can actually be handled in the manner 
described above. For the collector we require that it be a linear variable; i.e. it 
must have multiplicity 1 and may not occur elsewhere in the term. For a stripper, 
there are a number of possibilities. 

ground subterm: Here we allow any multiplicity. Since a ground term must 
match an identical term in the argument list we can just search for that 
term in the red-black tree, and do a deletion operation. Of course if the term 
does not occur in the subject argument list with sufficient multiplicity we 
can return failure. 

bound variable: Here we also allow any multiplicity. During the analysis phase, 
when we decide on the order for matching subterms, we will know for each 
matching subproblem what nonlinear variables will already be bound. If the 
variable is bound to a term headed by a symbol other than /* we can treat 
it as a ground subterm. Otherwise we return “undecided” . 
nonvariable, nonground subterm: Here we limit multiplicity to 1 . Any vari- 
ables occurring in the nonground term pi must either be bound or must not 
occur outside of pi. Furthermore if there are multiple nonground strippers 
, • . • , Pvk they must have the property that for c < d, either is not unifi- 
able with (no possible conflict over subject subterms) or matches Pv^ 
{pv^ is at least as general as Pvc)- This restriction ensures that an earlier 
stripper will not take a subject subterm needed by a later one. We can find 
a first candidate subject term for assignment to pi by using our reasonable 
partial comparison function pc to find the leftmost subject term Sj such that 
pc{(j),pi, Sj) is eq or f- If we want to ensure that pi matches Sj we need also 
enforce the restriction that (pi,B) is pc-complete. Since this is quite strict, 
a practical alternative is to just use Sj as a starting point for a match for 
Pi, and keep searching, left to right, until we get a match or we reach an 
Sk such that pc{(j),pi, Sj) = It in which case we can return fail. Of course 
once we start searching we require linear time in the worst case. Another 
alternative is to return “undecided” if pi fails to match Sj . A stripper of this 
form must be handled after strippers of the first two forms to avoid “using 
up” a subterm needed by them. 
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high multiplicity unbound variable: We allow at most one of these and only 
if there are no nonvariable, nonground strippers. Also the variable must 
not occur anywhere else in the term (i.e. it is almost linear in the sense of 
[20]). We can find a subject subterm with adequate multiplicity to assign 
to it in 0(log(m)) time if such a subterm exists by following the maximum 
multiplicity fields in the red-black tree. A stripper of this form must be 
handled after strippers of the first two forms to avoid “using up” a subterm 
needed by them. 

linear variable: Since linear variables can take anything we can just assign to 
them anything leftover after the other strippers have been dealt with. This 
form of stripper is alway handled last. 



2.7 A Concrete Example 

Consider the matching problem 

h{r{g{D, R),M),D) 1), g(2,4), . . . , g(100, 10000)), 42) 

where h and g are free binary function symbols and D, R and M are variables. 
Matching the subterms under the free function symbol h results in a partial 
substitution (p such that 4>{D) = 42, and a matching subproblem 

f{g{D, R),M) <\c r (5(1, 1), 5(2, 4), . . . , g(100, 10000)) . 

Now assume we use lexicographic ordering on arguments to linearly order terms 
with free function symbols on top, and the usual ordering on integer constants. 
We can design a partial comparison function pc such that pc{(j>, g{D, R), g{i, j)) 
returns f when i = 42 and either It or gt otherwise. Furthermore, {g{D, R), {H}) 
will be pc-complete. Thus we can use pc to efficiently locate a subject subterm 
to match against g{D, R) if one exists. 

2.8 Comparison with Many-to-One AC Matching 

There are similarities between the class of AC patterns we handle and those 
handled by the many-to-one AC matching used in ELAN [22,20]. There are two 
key differences however. 

1. We have the restrictions on nonvariable, nonground terms and variables with 
high multiplicity in order to avoid the need for backtracking. 

2. We handle nonlinear variables, as long as they have already been bound by 
the time the AC matching takes place. 

One possible weakness of many-to-one AC matching with large AC terms can 
be illustrated by the following argument. Suppose we have k patterns each with 
n subterms under an AC symbol and we have a subject with m subterms under 
an AC symbol. We consider the worst case: there are no common subpatterns so 
the many-to-one AC matching algorithm must consider k.n.m combinations of 




22 



Steven Eker 



pattern and subject subterms; also, all but the last pattern fails to match so any 
sequential algorithm must attempt all k patterns. If the sequential algorithm can 
detect failure quickly for some of the failing patterns it can avoid considering 
many of the k.n.m combinations of pattern and subject subterms. In the Maude I 
interpreter, some of the special case greedy AC matching algorithms can detect 
failure in 0{log(m)) time via binary search even though computing a matching 
substitution takes linear time. This appears to be the main reason why the 
Maude 1 interpreter can hold its own against the ELAN compiler, at least for 
for unconditional AC rewriting [20]. Failing fast is important! The key advantage 
of our new algorithm over that used in Maude 1 is that not only can we often 
detect failure in 0{log{m)) time, but also, in the success case, we can often 
compute a matching substitution in 0{log{m)) time. 

2.9 AC Renormalization 

Following a successful match and replacement, we need to convert the resulting 
term back into AC normal form. We assume that subterms are already in AC 
normal form, either because of bottom-up renormalization or because they were 
assignments to variables. The case we can deal with efficiently is of the form 

where for some i, ti is an AC normal form with top symbol f* , ki = 1 and for 
j i, tj has a top symbol different from /*. In this case we can compute the 
AC normal form by doing n — 1 insertions into the argument list of ti . 

A useful heuristic for deciding when to convert to red-black tree representa- 
tion in the first place is to set some threshold, T. When we arrive at a renormal- 
ization situation of the above form, but ti currently has its argument list stored 
in a more conventional representation such as a vector or list, we convert the 
argument list to a red-black tree if the length of this vector or list exceeds T. 

3 Refinements and Generalizations 

We now sketch some refinements and generalizations of our basic approach. 

3.1 Choice of Ordering on AC Normal Forms 

Linear term orderings typically start with some ordering on function symbols 
and are then built up inductively. In the free theory, lexicographic ordering on 
arguments is often used. When we come to compare a pair of AC normal forms 

a = , . . . , a^) and /3 = /* (/3f , . . . , /3^-) 

with the same top function symbol we need to choose some linear ordering on 
their argument lists. Although the choice of ordering will in general affect the 
order in which matching substitutions are found and can therefore affect the 
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efficiency of reduction, it seems hard to predict what effect a given ordering 
will have on an arbitrary AC term rewriting system. Instead we seek a linear 
ordering that can be computed quickly in the average case. Typically multi- 
plicity comparisons require several machine instructions while term comparisons 
involve a recursive call. Thus we would like to minimize the number of subterm 
comparisons when a ^ (3. One technique is to first compare n and m. If they 
are equal we then do lexicographic comparison on the sequences of multiplici- 
ties, ki, . . . ,kn and ji, . . . ,jm- Only if these sequences are equal do we finally 
do a lexicographic comparison on the sequences of subterms themselves. One 
drawback of of this method is that it requires two passes over the argument lists 
and in the common case that all the multiplicities are 1 the first pass is a waste 
of time. An alternative in the case that n = m is to do a single pass lexico- 
graphic comparison on the sequences fci, oi, . . . , and ji, /3i, . . . , jm, Pm of 

interleaved multiplicities and subterms. This is the ordering adopted in Maude. 



3.2 Order-Sorted Rewriting 

Order-sorted rewriting is a convenient extension of many sorted rewriting [13]. 
It complicates our basic algorithm in two ways. Firstly we need to maintain 
a sort for each reduced subterm. Secondly matching can fail because of sort 
considerations. Let s/* : Sort x Sort — >■ Sort be the sort function for /*; it is 
necessarily associative and commutative. We avoid linear time sort computations 
by maintaining a sort in each red-black tree node. By adding an artificial identity 
to Sf we can calculate the sort of f*{t^) in 0(log(fc)) time using the classical 
monoid powering by squaring algorithm. When matching fails because of sort 
considerations, we have to return “undecided”; we minimize the risk of this by 
always choosing the linear variable of largest sort as the collector. 



3.3 Other Equational Theories 

Our basic approach of treating AC-matching as one or more deletions and AC 
renormalization as one or more insertions in a suitable persistent data structure 
can be generalized to other equational theories. We briefly sketch a couple of 
important cases. 

Suppose we add an identity to an AC function symbol to get an ACU func- 
tion symbol (the U stands for Unit). ACU normalization is very similar to AC 
normalization except that we do not include identity elements; this means that 
before doing an insert operation into an ACU argument list we check if the 
element to be inserted is the identity and do not insert it in that case. ACU 
matching is complicated by the possibility of collapses that bring alien non- 
ground arguments into their parents theory. But these situations are atypical 
and can be detected by pattern analysis, in which case a slow general purpose 
matching algorithm can be used. Collapses also complicate the definition of par- 
tial comparison. The other distinctive feature of ACU matching is that variables 
under an ACU symbol might be assigned the identity element; possibly causing 
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the collapse in the ACU pattern itself. This is just another case to be checked 
for in the fast algorithm where the matching process would otherwise fail. 

A more interesting situation arises when we remove the commutative axiom 
to get a purely associative function symbol. The case has practical importance 
because it corresponds to lists. We can get an associative normal form by flat- 
tening nested function symbol occurrences without sorting the arguments. A 
fast matching associative algorithm proceeds by stripping arguments from one 
or both ends of the subjects associative argument list. Until we encounter a 
variable subpattern, the correspondence between subpatterns and subject argu- 
ments is forced, and there is no restriction on nonvariable subpatterns in this 
case. 

An appropriate data structure for representing associative argument lists is 
the Persistent Catenahle Deque of Kaplan and Tarjan [19] or its amortized time 
simplification [18]. This remarkable if highly intricate data structure supports 
persistent insertions and deletions from both ends of list together with persistent 
concatenation, all in constant time. The constant time persistent concatenation, 
in particular, allows unrestricted associative renormalization, and also allows 
the construction (by self concatenation) of terms whose explicit representation 
would be exponential. 

Using this data structure to represent associative normal forms, a broad class 
of associative rewrite rules could be executed in constant time; i.e. with the same 
complexity as syntactic rewriting. 



4 Practical Considerations 

We now discuss some of techniques needed for a machine efficient implementation 
of our approach. 

4.1 Iterators 

The first thing we need is an efficient way of making an in-order traversal of 
the argument list under an AC operator without the inconvenience of using 
recursion. Because of the need for persistence, the nodes in our red-black trees 
cannot hold back pointers to their parents. Thus we need to hold the path from 
the root to the current node on an explicit stack. The number of possible red- 
black tree nodes is bounded by the address space of the machine and the height 
of the largest red-black tree is bounded by twice the logarithm of this number. 
Thus we can use small fixed size stacks for iterators. By using fixed size C/C-l— I- 
arrays to hold these stacks and machine pointers to the top elements, each of the 
usual stack operations can be implemented in a couple of machine instructions. 

An iterator is initialized by stacking the path to the leftmost node in the 
red-black tree. To And the next node following an in-order traversal we consider 
two cases: 

1. If our current node has a right child we stack this right child together with 
the path to it’s leftmost descendant; otherwise. 
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make -tree{vec, first, size, is^red) 
if size = 0 then 
return nil 
else 

left_size := [sfee/2j; 

right_size := size — 1 — left_size; 

left^tree := make-tree{vec, first, left^size, 

left_size > right_size and pow2minl (left_size)); 
right_tree := make J,ree{vec, first + left_size + 1, right_size, false); 
return new -node{vec[first + leftsize], left^tree, rightAree, is^red) 
fi 



Fig. 2. Algorithm for constructing a red-black tree from a vector. 



2. we pop the stack until the top of the stack refers to a node whose right child 
is not the node we just popped; if we end up with an empty stack we have 
completed the traversal. 

Thus our implementation becomes a pair of tight loops - one for descending 
leftmost paths and one for ascending rightmost paths. 

For a number of applications, most notably converting a red-black tree to 
a sequence when we wish a more conventional term representation, it is not 
important to have the full path to the current node stored on the stack. In 
this situation we can optimize the traversal algorithm by unstacking the parent 
node when taking a right branch. Then in case 2 above, we need only pop a 
single element of the stack. This technique can be viewed as the explicit stack 
equivalent of the well known tail recursion elimination optimization. 

4.2 Red-Black Tree Construction 

In order to convert from a conventional term representation to our new represen- 
tation we need an algorithm for constructing red-black trees from a given ordered 
sequence. A detailed analysis of this problem together with linear time solutions 
is given by Hinze [16]. However in the case that our sequence is actually stored 
as a vector we can use the simpler recursive algorithm shown in Figure 2. The 
idea is that, at each stage we chose the middle element, preferring the rightmost 
element in the case of a tie. We then create a node with this element and execute 
the algorithm recursively on the left and right subarrays to generate the left and 
right subtrees. It is easy to see that the resulting binary tree will be balanced; 
the subtle point is to generate node colors that preserve the red-black property. 
The idea is that if the left subtree is larger than the right subtree there will need 
to be red nodes in the left subtree to reduce the black height of at least some of 
its leaves. Furthermore, if the left subtree contains exactly 2" — 1 nodes for some 
n (tested for by the pow2minl function) then we have a complete binary subtree 
and we can color its root red, reducing the black height of all of its leaves. 

It may not be immediately obvious how to efficiently test if some positive inte- 
ger k is of the form 2" — 1, but in fact the pow2minl function can be implemented 
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with 3 or 4 machine instructions using the following C/C++ bit twiddling trick: 
((k + 1) & k) == 0. We have presented the red-black tree construction algo- 
rithm in recursive form for clarity of exposition but for a real implementation it 
can be made nonrecursive using an explicit fixed size stack. 

4.3 Memory Usage 

A vector based representation of AC arguments lists typically uses two machine 
words per argument, to hold a pointer to the argument and its multiplicity. 
A linked list representation requires one or two additional machine words per 
argument depending on whether it is singly or doubly linked. 

Our persistent red-black tree representation requires four additional machine 
words per argument over the vector based representation, to hold the maxi- 
mum multiplicity, the left and right subtree pointers, and the node color. In the 
order-sorted generalization, the sort information can share a machine word with 
the color flag. However unlike the vector and linked list approaches where only 
subterms are shared, with the red-black tree representation, large parts of the 
argument lists can be shared between different AC subterms. Depending on the 
term rewriting system, this can more than compensate for the increase in the 
per argument cost of storing the argument lists. 

5 Experimental Results 

To demonstrate the feasibility of our approach we added a red-black tree im- 
plementation of AC argument lists and the associated matching and renormal- 
ization algorithms to the Maude 2 interpreter [6]. The Maude 2 rewrite engine 
is otherwise an incremental improvement over that in Maude 1, which already 
has very competitive AC rewriting performance [20] . The highly modular design 
of the rewrite engine makes it ideal for this kind of experiment since all rewrit- 
ing theories plug into an abstract theory interface which provides generic term 
manipulation primitives. It is therefore easy to support multiple term represen- 
tations and matching algorithms for a given theory with no effect on the rest of 
the system. 

Consider the following recursively defined function on the natural numbers: 

/( 0)=0 

/(n + 1) = /( [n/2j ) + /( [n/4j ) 

This definition is somewhat reminiscent of the famous Fibonacci function. In- 
deed the only reason we do not use the Fibonacci function is that rapid growth in 
the size of the numbers involved obscures the performance of the non-numerical 
rewriting. In particular, we need two recursive calls and thus will end up using 
exponential time unless we use some kind of memoization or dynamic program- 
ming technique. While Maude has built-in support for memoization, we will 
keep an explicit memoization table using the map data type defined earlier in 
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fmod MAP-TEST is including MAP . protecting NAT . 
subsort Nat < Domain Range . 
var N : Nat . vars MM’ : Map . 
op f : Nat Map -> Map . 
eq f(s N, M) = insert (s N, 

((f(N, M))[N quo 2]) + ((f(N, M) ) [N quo 4]), 
f(N, M)) . 

eq f(0, M) = insert (0, 1 , M) . 
endfm 

red f(100, empty) [50] . 
red fdOOO, empty) [500] . 
red f( 10000, empty) [5000] . 
red f( 100000, empty) [50000] . 
red f( 1000000, empty) [500000] . 

Fig. 3. Benchmark problem for map specification. 



Table 1. Performance in seconds, rewrites/second and megabytes used. 



Size 


Rewrites 


1 Vector/legacy I 


1 Vector/SC I 


1 Red-black tree/SC I 


seconds 


rw/sec 


MBs 


seconds 


rw/sec 


MBs 


seconds 


rw/sec 


MBs 


100 


703 


0.02 


35150 


5.2 


0.01 


70300 


5.7 


0.01 


70300 


5.7 


1000 


7003 


0.71 


9863 


6.0 


0.32 


21884 


6.6 


0.11 


63663 


6.6 


10000 


70003 


158.82 


440 


20 


71.74 


975 


20 


1.61 


43480 


19 


100000 


700003 


17496.59 


40 


187 


8766.46 


79 


187 


20.73 


33767 


138 


1000000 


7000003 


- 


- 


- 


- 


- 


- 


306.48 


22839 


1373 



Figure 1, in order to test the speed of the AC rewriting. The Maude code is 
shown in Figure 3. The function computes a map rather than a single value, and 
in order to have a concise output, we simply evaluate it near the middle of the 
range. Note that the subexpression f{N, M) occurs three times in the right hand 
side of the first equation, but it is only evaluated once because Maude combines 
common subexpressions. 

The results for three versions of Maude 2 running on a 550MHz Ultra- 
SPARC Hi with 1.5GB of RAM are shown in Table 1. The first version (Vec- 
tor/legacy) uses the matching algorithms and vector based AC argument list 
representation inherited from Maude 1, which includes a primitive version of 
the stripper-collector matching algorithm that does not use partial compari- 
son. The second version (Vector/SC) uses the full stripper-collector matching 
algorithm presented here but retains the vector based AC argument list rep- 
resentation. The third version (Red-black tree/SC) uses the full red-black tree 
based stripper-collector matching and renormalization algorithms. The two vec- 
tor based versions failed to terminate after a cpu-day while attempting the last 
reduction. Here the runtime grows slightly worse than quadratic while rewriting 
speed falls off slightly worse than linearly with the full stripper-collector version 
about twice as fast as the legacy version. With the red-black tree representation. 
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the runtime growth is approximately nlog(n) while rewriting speed falls off ap- 
proximately logarithmically. All versions show a somewhat bigger than expected 
slowdown going from size 1000 to size 10000, probably due to L2 cache effects. 

6 Concluding Remarks 

Our method is somewhat intricate and much care is required in the implementa- 
tion to avoid linear time algorithms for other parts of the execution process such 
as term traversal and sort computation. Nevertheless we have shown that our 
method can provide an approximately n/log(n) speed up over the already fast 
algorithms used in Maude 1 for large AC terms and simple AC rewrite rules. 
We plan to implement persistent data structure based rewriting algorithms for 
other equational theories in Maude 2 in the near future. 
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Abstract. Several software systems have been developed recently for 
the automated generation of combustion reactions kinetic mechanisms 
using different representations of species and reactions and different gen- 
eration algorithms. In parallel, several software systems based on rewrit- 
ing have been developed for the easy modeling and prototyping of sys- 
tems using rules controlled by strategies. This paper presents our current 
experience in using the rewrite system ELAN for the automated gener- 
ation of the combustion reactions mechanisms previously implemented 
in the EXGAS kinetic mechanism generator system. We emphasize the 
benefits of using rewriting and rule-based programming controlled by 
strategies for the generation of kinetic mechanisms. 



1 Introduction 

Combustion reactions are widely present in our everyday life, taking place in en- 
gines, burners and industrial chemical reactors, to produce mechanical or thermal 
energy, and also to incinerate pollutants or to manufacture chemical substances. 
The optimal design and operation of efficient, safe and clean chemical reactors, 
engines, burners, incinerators is highly desirable. 

The design of combustion processes has mainly been carried out by using 
rather empirical models, while fundamental design, based on scientific princi- 
ples, becomes more and more the main research goal (see e.g. [7,16]). However, 
the generation of detailed fundamental kinetic mechanisms for the combustion 
of a mixture of organic compounds in a large temperature field requires to con- 
sider several hundred chemical species and several thousands of elementary re- 
actions [7]. An automated procedure is the only convenient and rigorous way to 
write such large mechanisms. 

* Work supported by Peugeot Citroen Automobiles. 
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A number of software systems have been developed for this purpose. A non ex- 
haustive list of software systems for automatic generation of detailed kinetic com- 
bustion mechanisms is the following: MAMOX [19], NetGen [20], EXGAS [7,22], 
GOMGEN [17]. These systems are^ implemented using traditional imperative 
programming, using rather ad hoc data-structures and procedures for the rep- 
resentation and transformations of molecules (e.g. boolean adjacency matrices 
and matrices transformations). Flexibility is often absent or limited to menu 
systems, whereas the actual use of these systems, during validation of generated 
mechanisms by chemists, as well as during their final use for conception of indus- 
trial chemical processes, requires modifications, activations or deactivations of 
involved rules according to new experimental data, reactor conditions, or chemist 
expertise. Furthermore, existing systems, are limited, sometimes by their tech- 
nology based on ad hoc structures, to acyclic species, or mono-cyclic species, 
whereas combustion mechanisms often involve aromatic species, i.e. polycyclic 
species. 

We present in this paper an alternative approach based on rule-based pro- 
gramming and strategies. Rule-based systems have gained considerable interest 
with the development of efficient compilers. Now, systems like ASF-I-SDF [13], 
Maude [5,6], Cafe-OBJ [9], or ELAN [3,4] are used for various applications like 
constraint solving, protocol verification, modeling of biological systems, and 
more. This paper presents a system, named GasEl, based on ELAN system, that 
generates kinetic mechanisms of fuel combustion. This is one of the objectives 
of a research project that involves two teams from Nancy, France: one team of 
computer scientists from LORIA^ and a team of chemists from DCPR^ that 
developed the kinetic mechanism generator system EXGAS [7,22]. 

ELAN has some good properties for the generation of kinetic mechanisms: 
chemical reactions are naturally expressed using conditional rules, themselves 
easily understood by chemists; ELAN matching power allows for retrieving pat- 
terns in chemical species, thanks to the capability of handling multiset structures 
through the use of associative and commutative functions; ELAN provides a strat- 
egy language and strategy constructors to define control on rules, which appears 
as essential for designing generation mechanisms in a flexible way; thanks to its 
efficient compiler, ELAN can handle a large number of rules application (several 
thousands per second) and is thus well-suited to the computational complexity 
of the modeling. 

Of course, some technical difficulties remain. One of them is that cyclic 
molecules are easily represented by graphs whereas ELAN can only do term 
rewriting. Another one is elimination of redundancies that requires intelligent 
search in huge data sets. The paper presents the solutions that we adopted. 

The idea that rewriting techniques can be applied to chemistry is not new. Ac- 
tually, even the chemical metaphor has been exploited to define computational 



^ as far as literature says 

^ LORIA is the Lorraine Laboratory for Research into Information Technology and 
its Applications 

® DCPR is the Department of Physical Chemistry of Reactions 
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models [2]. Indeed, kinetic elementary mechanisms looks like graph rewriting 
rules. However, at least in this context, existing rewriting softwares are not used 
in practice for the automatic generation of kinetic combustion mechanisms. One 
reason is that pure graph rewriting is not sufficient: one needs for example to 
rewrite not only graphs, but associative commutative forests of graphs, with an 
explicit possibility of controlling rule applications, as their order is sometimes 
really important or dependent of external conditions such as temperature. Fur- 
thermore, the type of involved rules is particular, in the sense that chemical 
rules obey to external properties such as conservation laws. We hope this paper 
is providing some hints to help understand the kind of rewriting which is needed 
in this type of industrial applications. 

The paper is organized as follows: in Section 2, we position the problem of 
generation of kinetic mechanisms in the whole context of its use by chemists 
and industrial partners, and we give a brief description of the chemical problem 
complexity. In Section 3 we give an example of what a detailed kinetic mechanism 
is for a specific molecule and we give the general procedure for its generation. 
Section 4 presents a description of the problems and the corresponding solutions 
we adopted in GasEI. Conclusions and discussions are presented in Section 5. 

2 Chemical Problem Description 

In this section we give a short presentation of the chemists’ challenges in the 
generation of detailed kinetic mechanisms [7,16]. 

Mastering the combustion reactions necessitates the elaboration and the val- 
idation of a reaction model; the description of the whole process is given in 
Figure 1: 

1. The experimental sequence produces the experimental results for a given 
molecule of hydrocarbon, and consists of two phases: 

(a) experiments done in laboratory reactors; 

(b) acquisition and treatment of physical chemical data. 

2. The modeling sequence has as input a model of the same molecule of hydro- 
carbon and gives simulation results obtained after two steps: 




Fig. 1. Elaboration and validation process for a reaction mechanisms model 
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(a) generation of reaction mechanisms by a generator of mechanisms (e.g. 

EXGAS); 

(b) numerical simulation by a numerical simulator (e.g. CHEMKIN II [12]). 
3. The analysis and adjustment process consists of: 

(a) comparison between the experimental results and the simulation results; 

(b) improvement of mechanisms generator by introducing new generic reac- 
tions or/and fitting generic parameters. 

Our system, GasEl, is intended to be a tool in the modeling sequence, a 
generator of detailed kinetic mechanisms for a specific area: the oxidation and 
combustion of fuels (e.g. Diesel fuels, petrols). 

From a chemistry point of view, the complexity of the problem is induced by 
the composition of the following aspects: 

— The structural complexity of hydrocarbon molecules, that can correspond to 
rather general graphs (planar graphs, trees and also 3D graphs) with many 
symmetries to be considered. 

— The complex composition of fuels or petrols. For example, a fuel for a racing 
car is composed by a mixture of 98 different molecules, and the order of 
magnitude for the fuel of a normal petrol car is 300 different molecules, and 
for Diesel fuels is 3000 different molecules. 

— The combinatorial explosion in the number of chemical species and elemen- 
tary reactions modeling kinetic mechanisms. For example, 479,206 reactions 
and 19,052 species are considered in the simulation of tetradecane pyrol- 
ysis reported in [8], and there are 1,527 reactions and 404 species in the 
combustion reaction model generated with EXGAS for the n-heptane [10]. 

— The duration of the validation process. Usually, in 2-3 year, a chemical 
kinetic experimental PhD thesis validates experimental results for only a few 
molecules (1 to 2), in a couple of reactors. In the same amount of time, a PhD 
thesis related to modeling usually validates reaction mechanisms for only 2 
or 3 molecules using and requiring several (5 to 10) previously validated 
experimental results for those molecules. 

— The complexity of numerical simulation, based on partial derivative equa- 
tions. 

— The multidisciplinary research needed, including expertise from thermody- 
namics, quantum mechanics, transport phenomena, fluid mechanics, chem- 
ical reactors, numerical methods, experimental techniques, etc. See for ex- 
ample [7] for a presentation of the variety of mechanisms involved in the 
modeling of combustion of petrols. 

3 Automated Generation of Mechanisms: 

Primary Mechanism 

The purpose of an automated generator of detailed kinetic mechanisms is to take 
as input one or more hydrocarbon molecules and the reaction conditions and to 
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REACTION MECHANISMS FOR C C C C 
Unimolecular Initiations 

C C C C > C e + C(e)C C 

C(C)C C > C(e)C + C(e)C 

Bimolecular Initiations 

C C C C + 0=0 > C(e)(C C C) + 0(e)0 

C(C)C C + 0=0 > C(e)C C + 0(e)0 

Oxidation reactions 

C(e)C + 0=0 > C=C + 0(e)0 

Fig. 2. Fragment of the GasEI output for n-butane: e denote a free electron and 
molecules with free electrons are free radicals 



give as output the list of elementary reactions applied and the corresponding 
thermodynamic and kinetic data. 

For example, for the combustion of the n-butane, C 4 H 10 , 778 reactions are 
generated by EXGAS, and 164 new species are obtained. A fragment of the GasEI 
corresponding output is given in Figure 2. 

For every reaction, a module, not discussed in this paper, needs to calcu- 
late using specific rules associated kinetic parameters (usually encoded by 3 
real numbers) and, for every species associated thermodynamic parameters (14 
coefficients of some polynoms in EXGAS) [7]. 

The generated detailed kinetic mechanisms can be the result of several phases: 
the “primary mechanism” can be followed by the “secondary mechanism” , usu- 
ally based on lumping techniques not considered in this paper, to get even more 
complete descriptions of the involved mechanisms [7] . 

In the primary mechanism a set of ten reaction patterns should be applied to 
an initial mixture of molecules. A complete description of the involved reactions 
patterns is out of the scope of this paper, but the chemistry-like presentation 
from Figure 3 gives the flavor of the transformations needed to be encoded. 

We mention that every reaction pattern is actually also guarded by “chemi- 
cal filters”, i.e. chemical conditions of applications, not mentioned here, even if 
several of them are currently implemented: they include considerations on the 
number of atoms in involved molecules or free radicals, the type of radicals or 
the type of bonds, etc. Some of them are discussed in [7]. 

From a computer science point of view, primary mechanism can be seen as 
the result of several phases (see Figure 4): 

1. The initiation phase: unimolecular and bimolecular initiation reactions (re- 
action patterns 1 and 2 in Figure 3) are applied to initial reactants, i.e. to 
the initial mixture of molecules. Let RSi be the set of all free radicals that 
can be obtained. 

2. The propagation phase: a set of generic patterns of reactions (reaction pat- 
terns 3-8 in Figure 3) are applied to all free radicals in RSi to obtain a 
new set RSi+i of free radicals. RSi+\ consists in all free radicals of RSi plus 
those that can be obtained by these reactions. 

This is iterated until no new free radical is generated. 
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1 


unimolecular initiation (ui) 


A — B — > »A + »B 




bimolecular initiation (bi) 


A=B -b S— T — ^ »A— B— T + »S 


T 


addition of free radicals to oxygen (ad) 


0=0 + »R — > »0 — O — R 


X 


isomerisation of free radicals (is) 


•A— B— TH — > AH— B— T» 




unimolecular decomposition of free radicals 
by beta-scission (bs) 


•A— B— T — > A=B + »T 


IT 


unimolecular decomposition of hydroperoxy- 
alkyl free radicals to cyclic ethers (cy) 


•A— B— O— OH — ^ A— B + «OH 

\/ 

0 


T 


oxidation of free radicals (ox) 


0=0 -b»A— BH — > A=B +.0— OH 


8 


metathesis (me) 


•R -b A— H — ^ R— H + »A 


9 


combination of free radicals (co) 


•R -b «S — > R— S 


To 


disproportionation of free radicals (di) 


•A— B— T -b »R — s- A=B + R— T 



Fig. 3. Reaction patterns of primary mechanism given by emphasizing patterns like a 
simple ( — ) or double(=) bond, a free radical (‘A), a specific atom (O, H). Symbols 
different from atom symbols (C, O, H) are variables and can be instantiated by any 
radical 



ad 




Fig. 4. The Primary Mechanism 



3. The termination phase: combination and disproportionation reactions (reac- 
tion patterns 9 and 10 in Figure 3) are applied to free radicals of IJ^ RSi to 
get a set R of molecules. 



4 GasEl — System Description 

According to Tomlin et al. [21], a mechanism generation program should have 
the following features: 

— generated chemical species should be stored in a form that can be easily ma- 
nipulated and its notation must be unique and non-ambiguous (canonical); 

— it should generate a given species of reaction only once; 
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— it should be able to filter out those reactions which are obviously unimpor- 
tant. 

The classical techniques which are known in literature to solve these is- 
sues and which are actually used in current existing softwares are the follow- 
ing: molecules are represented by graphs, mostly restricted to the acyclic case, 
or at least to the mono-cyclic case, and internally represented by their adja- 
cency matrices, i.e. boolean square matrices. One system uses something differ- 
ent here: in EXGAS system, molecules are represented as tree-like structures, i.e 
special symmetry-factorized trees with maximal sharing, for which some theoret- 
ical canonical representation results have been established, but only for acyclic- 
species [22]. For adjacency matrices, procedures to detect equalities between 
different graph representations of a same molecule are based on Morgan algo- 
rithm [14], or extensions (see for e.g. [11,24]), sometimes using topological in- 
dices [18]. With respect to existing systems, the solutions implemented in GasEI 
are original in several aspects, described in this paper. 

Taking advantage from the experience of the team that developed EXGAS, 
the issues that we have to solve are the following: 

1. We need a good internal representation for chemical objects: chemical species 
(i.e. molecules and free radicals) and mixture of species (see Section 4.1): a 
difficulty here is that we are using a term-rewriting system and that cyclic 
molecules correspond to graphs. 

2. We need a way to test if two representations of a molecule are or not repre- 
sentations of a same molecules (see Section 4.3). This is vital for example to 
detect termination of propagation phase in primary mechanism. 

3. We need a way to express into computational concepts various chemists ex- 
pertise, like the description of reactions pattern of primary mechanisms (see 
Section 4.4), or the description of chemical filters (e.g. conditions on applica- 
tion/non-applications of rules according to temperature domain) (see Section 
4.7). 

4. We need to allow flexibility and ease of modification of the rules that are 
used for the generation of mechanisms, according to chemist expertise or 
according to new experimental data (see Section 4.7). 

The rest of this paper is devoted to describe how GasEI fulfills in a original 
way all these requirements. 

4.1 Representation of Species 

We need a way to represent molecules and free-radicals. We need a priori to 
fix an external representation for inputs/outputs of the system, as well as a 
representation for the internal computations. Unlike what is classically done in 
existing software systems [1], we propose to use the same notation for both. 

As ELAN is a term rewriting system, we use the linear notation called SMILES 
presented in [23] . This notation is compact and well-suited because acyclic graphs 
are represented as trees. We briefly recall the principles of this representation: 
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Fig. 5. Representations of molecules: a. molecular graph of methylcyclopropane; b. cor- 
responding hydrogen-depleted molecular graph; c. corresponding SMILES notation; d. 
molecular graph of Acetic acid; e. corresponding hydrogen-depleted molecular graph 
and SMILES notation 



1. Molecules are represented as hydrogen-suppressed molecular graphs. 

2. If the hydrogen-suppressed molecular graph has cycles, we transform it into 
a tree applying the following rule to every cycle: choose one fresh digit and 
one single or aromatic bond of the cycle, break the bond and label the 2 
atoms with the same digit. 

3. Choose a root of the tree, and represent it like a concatenation of the root 
and the list of its sons. 

For example, the term C 1 (C) C C 1 represents methylcyclopropane and the 
term C C (=0)0 represents acetic acid: see Figure 5. 

In Figure 6 we give the signature of our notation: 

— atoms are represented by their atomic symbols; 

— the sort symbol is extended to the concatenation of the sort symbol and int 
in order to code cycles; 



C, c, 0, o, H : symbol; /* Atom specification */ 

@ @ : (symbol int) symbol;/* Labels for cycle closure specification*/ 

: bond; /* Bond specification */ 



e 



@ @ 



radical; 

(symbol) radical; /* Molecules and radicals specification */ 
(symbol radical_list) radical; 



(®) 
(®) @ 



(radical) radical_list ; /* List of radicals specification */ 

(bond radical) radical_list ; 

(radical_list) radical_list ; 

(radical_list radical_list) radical_list (AC) ; 



Fig. 6. GasEI signature of molecules and free radicals notation 




38 



Olivier Bournez et al. 



— single, double, triple and aromatic bonds are represented by the symbols 

respectively and belong to sort bond; 

— a molecule is represented as a root and the list of sons that belongs to sort 
radical_list; 

— the user definition of the the list of sons has a particular form, inspired 
by the chemical notation SMILES (see e.g. [23]) and is defined using an 
associative-commutative operator; 

— a special symbol e of sort radical is introduced for the representation of 
free radicals (a free radical *R is a molecule in which an atom has a free 
electron) . 



4.2 Representation of Mixtures of Species 

We need a way to represent mixtures of molecules and free radicals. We pro- 
pose to benefit here from the Associative Commutative matching possibilities of 
ELAN: in ELAN, a mixture has the sort react if using the following signature 

0 : (radical) reactif; 

0+0 : (reactif reactif) reactif (AC); 

For example, C C C C + 0=0 + C C (= 0)0 is a term that represents a mixture 
of n-butane, oxygen and acetic acid. 

4.3 Equality Test for Species 

As pointed out by Tomlin et al. in [21], chemical species should be stored in 
a mechanism generation program in a canonical form: i.e. a unique and non- 
ambiguous form. Classical canonicity algorithms in this context are either based 
on transformations applied to the adjacency matrices of the molecule [11,14,24], 
or restricted to the acyclic case when considering other ad hoc data struc- 
tures [22]. 

In our term-based representation, a molecule is a tree. Different choices of the 
root induce different trees representing the same molecule. We call these trees 
the visions of the molecule: see Figure 7. 

Testing if two terms represent the same molecule is done in 2 steps: 

1. An operator AllVis generates all the visions of a molecule by choosing every 
node of the tree representing the molecule to be the root. 

2. Two terms Mi and M 2 are equivalent if Mi and M 2 have the same number 
of atoms and if Mi is a vision of M 2 '. 

is_eq(Mi, M 2 ) => true if no_at(Mi)= no_at(M 2 ) and 
Ml e AllVis (M 2 ) 

Our algorithm is exponential. However, recall that no polynomial algorithm 
is known for the graph isomorphism testing problem. The problem is proved to 
be NP but the question if it is complete or polynomial is a well known open 
problem [15]. 
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C (C (C) (C)C) C(C)C C(C)(C)CC(C)(C)C C(C)(C)(CC(C)C)C 




C C (C C(C)C)(C)C C C(C)CC(C)(C)C 

Fig. 7 . Visions of ISO-octane: all the distinct visions modulo commutativity 



The current version is clearly not optimal. Improvements are currently in- 
vestigated, in particular classical chemical techniques based on topological in- 
dices [18] can be considered. 



4.4 Encoding Chemical Reactions 

Generic elementary reactions are transformations applied to a mixture of molec- 
ules and free radicals. 

We need to express the ten elementary reactions of Figure 3. Addition of free 
radicals to oxygen, oxidation of free radicals, combination of free radicals and 
disproportionation of free radicals are expressed directly as rewrite rules: the 
generic reaction, expressed as a graph transformation is encoded directly into a 
term rewrite rule. 

For example, the generic reaction of oxidation of free radicals is the following: 
0=0 -f*A— BH — ^ A=B -h *0— OH 

This means, chemically-speaking, that a molecule of oxygen, 0=0, abstracts an 
H atom in the ft position with respect to the radical point, with the formation of 
the free radical *0 — OH and an unsaturated molecule (a molecule with a double 
bond). 

This corresponds, in other words, to the graph transformation given in Fig- 
ure 8 and is coded directly by the following ELAN rewrite rule: 

[ox] 0=0 + A(e)(-B x) y => A (=B x) y + 0(e)0 
if no_H(B x) >= 1 
end 

where A and B are variables of sort symbol, x and y are variables of sort 
radical_list and the function no_H(R) returns the number of implicit hydrogen 
atoms in the root of R. 
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Fig. 8. Oxidation of free radicals; a dotted line correspond to an (implicit) hydrogen 
atom 



4.5 Exhaustive Application of Reactions to a Given Molecule 

The other generic chemical reactions require more work. We take the example 
of unimolecular initiation. An unimolecular initiation consists in breaking a sin- 
gle bond of a molecule and is represented, in the acyclic case, as the following 
reaction pattern: 

A-— B — *A -I- *B 

Breaking a C — C bond which does not belong to a cycle corresponds to the graph 
transformation given in Figure 9. 

X X 

/ \ ^ \ + molec2rad(Rad) 

Rad X ex 

Fig. 9. Unimolecular initiation 



Similarly to Section 4.4, we obtain the following ELAN rewrite rule: 

[ui] X (Rad) x => X(e) x + molec2rad(Rad) end 

where X is a variable of sort symbol, Rad is a variable of sort radical and x 
is a variable of sort radical_list. The operator molec2rad( ) transforms its 
argument into a free radical and is defined by two ELAN rewrite rules: 

[] molec2rad(X Rad) => X (e) Rad end 

[] molec2rad(X (Rad) x) => X (e) (Rad) x end 

The power of the associative-commutative matching of ELAN allows us to 
give generic ELAN rewrite rule [ui] for the unimolecular initiation that will be 
applied to all sons of root X. 

The previous rewrite rules have to be applied everywhere inside the terms 
and based on the semantics of the strategy language of ELAN, to apply a named 
rewriting rule (e.g. [ui] ) to all sub-terms we adopted the following technique: 

1. Apply the operator AllVis to the molecule X (Rad) x. 

2. Apply the generic ELAN rewrite rules for unimolecular initiation to every 
vision of the molecule given by the AllVis operator. 
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For cyclic molecules, we have to simulate (a restricted type of) graph-rewriting 
using term-rewriting. 

To deal with cyclic molecules in the unimolecular initiation, we need first to 
test if the bond to be broken is on a cycle or not; in the affirmative case one 
single free radical is generated by the fusion operator; if the bond to be broken 
is not on a cycle, the rewrite rule is similar to the acyclic case. Therefore, we 
need to add the following rule: 

[ui_cycle] X (Rad) x => fusion(X(e) x, molec2rad(Rad) ) 
where labels_l := () get_cycle_label (X x) 
where labels_2 := () get_cycle_label (Rad) 
if common ( labels_ 1 , labels_2) 
end 

and to change previous rule [ui] in 

[ui_CC] X (Rad) x => X(e) x + molec2rad(Rad) 

where labels_l := () get_cycle_label (X x) 
where labels_2 := () get_cycle_label (Rad) 
if not (common(labels_l , labels_2) ) 
end 

4.6 Encoding the Primary Mechanism 

Using the power of strategies of ELAN, the primary mechanism is defined in 
a natural way. This corresponds to the concatenation of three strategies cor- 
responding to each phase, tryinit for the initiation phase, tryPropag for the 
propagation phase and tryTermin for the termination phase: 

[] mec_prim => tryinit; tryPropag; tryTermin end 

The user defined strategies tryinit and tryTermin are easily expressed using 
the ELAN choice strategy operator dk applied to the strategies (the ELAN rewrite 
rule) defining the generic reactions. The dk operator (dont know choose) takes 
all strategies given as arguments and returns, for each of them the set of all its 
results. 



[] tryinit => dk(ui, bi) end 

The output of the initiation phase applied to ISO-octane is illustrated in 
Figure 10. 

Strategy tryPropag is defined as the iteration of one step of propagation 
using the ELAN strategy iterator repeat*: 

[] tryPropag => repeat* (propagOne) end 

Strategy repeat iterates the strategy until it fails and returns the terms resulting 
from the last unfailing call of the strategy. Strategy propagOne is defined in a 
similar way as tryinit using a dk operator applied to the generic reactions of 
the propagation phase. 
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Unimolecular Initiations 

C C(C)C C(C) (C)C > 

C C(C)(C)C C(C)C > 

C(C(C)C)C(C) (C)C > 

C(C(C)C)C(C) (C)C > 

Bimolecular Initiations 
0=0 + C(C) (C)C C(C) (C)C 
0=0 + C C(C)C C(C) (C)C 
0=0 + C C(C) (C)C C(C)C 
0=0 + C(C(C)C)C(C) (C)C 



C e + C(C) (C C(C) (C)C)e 

C e + C(C) (C) (C C(C)C)e 

C(C(C)C)e + C(C)(C)(C)e 

C(C(C) (C)C)e + C(C) (C)e 

> C(C) (C) (C C(C) (C)C)e + 0(e)0 

> C(C(C)C C(C) (C)C)e + 0(e)0 

> C(C(C) (C)C C(C)C)e + 0(e)0 

> C(C(C)C) (C(C) (C)C)e + 0(e)0 



Fig. 10. Initiation reactions of ISO-octane combustion 



4.7 Flexibility and Control of Application of Elementary Reactions 

The previous techniques allows a great flexibility through the power of matching 
and of the strategy language of ELAN: for examples 

— Chemical Alters, such as testing if a free radical is P, /3/t, /t, or Y is easily 
encoded by matching against corresponding patterns. 

— Modifying the set of applied generic chemical reactions in primary mecha- 
nism correspond to a direct and natural modification of the corresponding 
strategy. 

— Activating/Deactivating application of generic chemical reactions to cycles 
corresponds to a simple modification of strategy: replace for example 
dk(ui_cycle ,ui_CC) by dk(ui_CC). 



5 Conclusions and Discussions 

In this paper, we describe our experience in building a system, named GasEl, 
based on system ELAN, for the automatic generation of chemical kinetic com- 
bustion mechanisms. 

The main innovative feature of our system, compared to the existing ones(MA- 
MOX [19], NetGen [20], EXGAS [7,22]), is that it can handle polycyclic molecules. 

Compared to EXGAS, GasEl is much more flexible thanks to a modular design, 
to the rule-based formalism and to the ELAN strategies language. 

The outcomes of the GasEl project, that involve chemists from the team that 
developed EXGAS system, and computer scientists from the team that developed 
ELAN, are twofold: 

Chemists got a new system that extends the generation of combustion mech- 
anisms to (poly)cyclic species. The fact that GasEl is now considered to be the 
successor of EXGAS shows that they understand the benefits from the presented 
approach. Further work is to provide them with a friendly interface, allowing to 
visualize cyclic molecules, to easily introduce new rules and design new strate- 
gies, or to connect this tools more directly with existing computer softwares, in 
order for example to get automatic association of thermodynamic and kinetic 
parameters to reactions and reactants. 
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Computer scientists got in modeling of the generation of detailed kinetic 
mechanisms a real challenge for testing the benefit from using rewriting and 
rule-based programming controlled by strategies. This experience teaches sev- 
eral things. First, that existing chemical software, at least in the context of 
automatic generation of chemical kinetic combustion mechanisms, do not use 
really rewriting techniques, but rather ad hoc structures and techniques. Second, 
that one reason that explains this fact is that the type of things involved is not 
pure term-rewriting, nor pure graph-rewriting, nor something directly already 
present in existing software: as the paper shows, we want “easily-controllable 
molecule transformations”, with the always present needs of testing if a given 
generated molecule or radical is already obtained. As molecules can be cyclic, 
and hence correspond to rather general graphs, what we need corresponds to 
a kind of associative and commutative forest of graphs rewriting controlled by 
strategies. Since, no existing rewriting software is currently able to deal directly 
with this kind of features, and taking the advantage from our experience on the 
ELAN system, we actually developed the application using ELAN, i.e. associative 
and commutative term rewriting controlled by strategies. 

Of course this approach has drawbacks: for e.g. the techniques that are used 
to emulate graph rewriting can clearly be improved in efficiency. However, as the 
discussion shows, when repositioning this system in chemist world (see for e.g. 
the number of processes that can be validated in a PhD) this computer-scientist 
efficiency issue may not be such an important drawback. 

Moreover our approach revealed three further interesting points. First, the 
time for the development of the tool (two years now) can be compared to the 
time required for the development of similar features in EXGAS system, even 
if of course we are using their experience. Second, even if we can not rewrite 
graphs in ELAN , we have associative and commutative matching and strategies, 
and hence, we have almost all the required features. And third, and this is the 
main point, we believe this work has given hints about what is really required 
to address this type of industrial motivated applications. 

Future work includes significant computer tests and chemists validation and, 
of course offering all the features of EXGAS system, providing a friendly interface, 
or connecting GasEI with other computer systems, but also to better understand 
this latter point. For example, this is clear that chemical rules always obey 
some conservation laws. Can we characterize abstractly chemical rules? Can we 
characterize the associated rewriting theory? 
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Abstract. We present a name free A-calculus with explicit substitutions 
based on a generalized notion of director strings: we annotate a term with 
information about how each substitution should be propagated through 
the term. We first present a calculus where we can simulate arbitrary 
/?-reduction steps, and then simplify the rules to model the evaluation 
of functional programs (reduction to weak head normal form). We also 
show that we can derive the closed reduction strategy (a weak strategy 
which, in contrast with standard weak strategies allows certain reduc- 
tions to take place inside A-abstractions thus offering more sharing). Our 
experimental results confirm that, for large combinator based terms, our 
weak evaluation strategies out-perform standard evaluators. Moreover, 
we derive two abstract machines for strong reduction which inherit the 
efficiency of the weak evaluators. 



1 Introduction 

Over the last few years a whole range of explicit substitution calculi have been 
proposed, starting from the Aa-calculus [1]. Although there are many different 
applications of such calculi, one of the main advantages that we see in describing 
the substitution process at the same level of /3-reduction is that it allows us to 
control the substitution process, with an emphasis on implementation. 

In [7] we introduced a named calculus with explicit substitution, copy and 
erasing. This calculus implements a closed reduction strategy defined by a con- 
ditional set of rules and characterized by the fact that substitutions must be 
closed before they can be propagated. For this reason, although this calculus 
uses names, o-conversion is not needed. At the end of [7] we also hinted at an 
alternative presentation of the calculus using director strings, which on one hand 
internalizes the conditions on the reduction rules, and on the other hand offers a 
simpler, name-free syntax (this version of the calculus was presented in [8]). The 
purpose of this present paper is to explore the properties of the more general 
calculi that arise from the new syntax. These calculi then naturally give rise to 
abstract machines (strategies) suitable for reduction to weak head normal form. 
Furthermore, we resolve one of the open problems of [7], and derive, from a fur- 
ther generalization of director strings, ways to reduce to full normal form. We 
consider this important for several reasons: 
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— Part of the culture of explicit substitutions is name free. Our syntax offers an 
alternative to de Bruijn indices [6], which has become the standard name- free 
syntax for such calculi. 

— We provide a generalization of director strings, which were introduced in [11] 
for combinator reduction. In our generalized director strings, reduction under 
abstractions is allowed and we can simulate arbitrary /3-reductions. 

— Our notation is natural from an operational point of view in an explicit 
substitutions calculus: we annotate terms to indicate what they should do 
with a substitution. Closed reduction can then be seen as a natural restriction 
that leads to a simple rewrite system for weak reduction. 

We thus see the calculi presented in this paper both as an alternative syntax 
for explicit substitutions and a basis for more efficient implementations of the 
A-calculus. 

Standard weak explicit substitution calculi avoid a-conversion by allowing 
neither reduction under abstraction nor propagation of substitution through an 
abstraction (see for instance [5]). In contrast, our calculi allow certain reductions 
under, and propagation of substitutions through, abstractions. In this way more 
reductions can be shared. Moreover we may use the explicit information given by 
directors to avoid copying a substitution which contains a free variable, avoiding 
the duplication of potential redexes. 

We have implemented a family of abstract machines for weak and strong 
reduction based on the director strings calculi, and the benchmarks (given in 
Section 7) show that the level of sharing obtained is close to optimal reduc- 
tion [12,9,3] with considerably less overheads. Immediate applications of this 
work include, on one hand A-calculus/functional language evaluators (where 
weak reduction is needed), and on the other hand, partial evaluation (also called 
program specialization) and proof assistants based on powerful type theories 
(where strong reduction is needed). 

Related work. Our work is clearly related to the general work on explicit sub- 
stitution calculi (starting from the Acr-calculus [1]). However, it is much more 
in line with the use of explicit substitutions for controlling the substitution pro- 
cess in implementations of the A-calculus [2,15,10,13]. Director strings were used 
in [11] for combinatory reduction, and in [8] for closed reduction, which is the 
starting point for this present work. 

Overview. The rest of this paper is structured as follows. In the following section 
we provide the background material, specifically we define the syntax of director 
strings. In Section 3 we present a general calculus where we can simulate arbi- 
trary /3-reduction steps. Section 4 presents the simplified local open calculus, and 
the closed reduction system. We then use these calculi to define several abstract 
machines: weak (Section 5) and strong ones (Section 6), which we experimentally 
compare (Section 7). Finally, we conclude the paper in Section 8. 
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2 Director Strings 

We briefly recall the basic ideas of director strings, which were introduced in [11] 
for combinatory reduction. As an example, consider a term with two free vari- 
ables / and X, and substitutions for both / and x : {{f{fx))[F/f])[X/x\. The 
best way to perform these substitutions is to propagate them only to the place 
in the syntactic tree where they are required. Figure 1(a) shows the paths which 
the substitutions should follow in the tree. 



./'(S' , \ 




f X f X 

(a) Paths (b) Annotated term 



Fig. 1. Substitution paths and director strings 

A natural way to guide the substitutions to their correct destination is given 
in Figure 1(b) by director strings, which annotate each node in the graph with 
information about where the substitution must go. When the substitution for / 
passes the root of this term, a copy of F is sent to both subterms, and the 
director is erased. The second substitution can then pass the root, where it is 
directed uniquely to the right branch by the director o. Note that substitutions 
are copied only when they need to be: if there is just one occurrence of a variable 
in a term, then no duplication is performed. 

This simple idea works well when the substitution is closed (does not contain 
free variables) . Otherwise, as each open substitution passes a given node we must 
add the additional directors for each free variable in the substitution. 

Definition 1 (A-calculus with director strings). We define three syntactic 
categories: 

Directors: We use four special symbols, called directors, denoted by a,'j,6: 

1. r\ indicates that the substitution should be propagated only to the right 
branch of a binary construct (application or substitution, as given below). 

2. indicates that the substitution should be propagated only to the left 
branch of a binary construct. 

3. indicates that the substitution should be propagated to both branches of 
a binary construct. 
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4- I indicates that the substitution should traverse a unary construct (ab- 
straction and variables, see below). 

Strings: A director string is either empty, denoted by e, or built from the above 
symbols (as usual we omit the constructor and simply write aia 2 -..oin). 
We use Greek letters such as p,a. . . to range over strings. The length of a 
string a is denoted by \a\. If a is a director, then a" denotes a string of 
a’s of length n. If a is a director string of length n and I < i < j < n, at 
denotes the i*^ director of a and = CTi . . . (Ti_icri+i . . .an is a where the 
i*^ director has been removed. ai,,j = ai . . .aj is our notation for substrings. 
\a\i denotes the number of .r\ and occurring in a, and |cr|r. the number of 
r\ and f,. 

Annotated Terms: Let a range over strings, k be a natural number and t, u 
range over annotated terms, then the following are valid terms: 

t::=D| {Xty \ {X~ty \ {tuY\ {t[k/u]y 

where □ represents variables (a place holder), {XtY is an abstraction where 
the bound variable occurs in the term t, whereas is an abstraction 

where no new variables are bound, {t uY is an application, and finally 
{t[k/u]Y is our notation for explicit substitution, meaning that the variable 
corresponding to the k*^ director in t’s string is to be replaced by u. We will 
often write (t[u]Y instead of {t[l/u]Y when the substitution binds the first 
variable. 

The name of the variable is of no interest since the director strings give the 
path that the substitution must follow through the term to ensure that it gets 
to the right place, all we need is a place holder. Also, we omit the director for 
variables since it is always i. 

In contrast with other explicit substitutions syntax, ours has explicit infor- 
mation about copying (■^) and erasing (A“). This is inspired by linear logic, and 
will allow us a finer control on substitutions. There is an alternative presentation 
which adds a director ’ to indicate that the substitution should be erased (i.e. 
the variable to be substituted does not occur in the term) . For practical reasons 
we have chosen a syntax that combines the erasing with the abstraction: we erase 
terms as soon as possible. Similarly, we will postpone duplication of a term as 
much as possible. We will discuss this choice again in Section 3.3. 

As with most A-calculi, we will adopt several syntactic conventions: we will 
drop parentheses whenever we can, and omit the empty string e unless it is 
essential. 

Remark 1. Our use of this calculus is rather as an object language: the image 
of a translation of correctly formed A-terms, thus we shall not enter here into 
a possible set of conditions on when an annotated term is a valid one (such a 
criterion may be found in [14]). We use a function l-jl to compile a A-term into 
our syntax, and another (]-|) to read it back. The definitions are straightforward 
and omitted, we just need to know the order in which directors are generated: in 
our compilation the last director in a string corresponds to the variable bound 
by the innermost X (see the examples below). 
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Example 1. We show the compilation of some A-terms: 

1 = lAx.xl = (AD)'= 

K = lAx.Ay.xl = (A(A-D)^)<= 

S = lXx.Xy.Xz.{xz){yz)l = (A(A(A((nn)'^"^(nD)^^)^^‘^)^^)^)'= 

2 =lXf.Xx.fifx)l = (A(A(n(mr-)A-)i)^ 



Lemma 1 (Length of Strings). Let fv(t) denote the set of free variables of 
the X-term t (under Barendregt’s convention) . 

|fv(t)| = n Jt]| = where \a\ = n 

In particular, a closed term will always have an empty director string (e). 

3 The Open Calculus 

We will now give the reduction rules on the above defined terms that will allow 
us to fully simulate the A-calculus. This calculus is called open (Ao) in contrast 
with the calculus for closed reduction (Ac) defined in Section 4.2, which is simpler 
but does not fully simulate /3-reduction. 



3.1 The Beta Rule 

We need a Beta rule to eliminate /3-redexes and introduce an explicit substitution 
instead. In a compiled term {XV'Y the variable bound by the abstraction is 
determined by the last director in iz, and |iz| = |p| -|- 1 (by Lemma 1). The Beta 
rule will therefore create an explicit substitution for \p\ + 1. 



Beta\{{XtY uY 



it[\p\+i/u]Y 



Remark 2. If the function is closed, then the substitution binds the first (and 
only) variable of t (the first director): {{XtY uY {tY]Y ■ 

3.2 Propagation Rules 

We need rules to propagate the substitutions created by the Beta rule. The 
directors indicate the path that the substitution should follow: we will need a 
rule per term construct and possible director. 

To understand how the rules for the propagation of substitutions are de- 
fined, consider a simple case: an application (t u)'^^ with a substitution, which 
should be propagated to the left branch of the application node as the director 
-r\ indicates. Assume the substitution concerns the first variable, i.e. we have 
{{t t6)'^'’[u])'^. We need a rule of the form: 

((t u)^P[v]Y Mv]Y' uY' 



(Appi) 
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Let’s try to find p' and a' . Suppose that a (closed) substitution is applied to 
the left and right hand-sides of the above equation. If, for example, a = p =^, 
then the substitution is for t on the left, so we must have a' = p' =-r\ to ensure 
that the substitution is also guided towards t on the right. If a =~r\ and p =r\, 
then it is to be directed towards u, and we must have a' =r\ and p' is not 
concerned (say p' = e here). Finally, if a =r\, the substitution is for v, and we 
write a' and p' =r\. 

We obtain most of the propagation rules in the same way. Notice that not 
every combination of directors is to be considered, as some of them do not 
correspond to valid terms. 



Name 


Reduction 


Cond. 


Var 


(□[u])'’’ V 




Appi 


{{tuy[x/v]Y - {{t[3/v]yuy 

where v = p^^),r = xpi{a,p^P),j = \pi.Yi 


Pi=~r\ 


ApP2 


((t uY[i/v\Y (t {u[k/v\YY 

where w = p^^),r = xp 2 {cr, P\i),k = \pi..i\r 


Pi 


Apps 

where 


((t uY[i/v\Y {{t[jlv\Y iu[k/v\YY 

V = (j)l{a,p^^),UJ = (j>r{<J,p^i),T = Xp3{a,p^i),j = \pi^Yi,k= \pi,,i\r 


Ti 


Lam 


mmr (A(t[*/u])--)''^' 


Pi — 'i' 


LamE 


{{x-tY[i/v]Y - 


Pi — -i" 


Comp 


{{t[j/u]Y[i/v]r - {t[j/{u[k/v]r]Y 

where uj = (()r(cr, p^,), r = xp 2 {<J, p^i),k = \pi..i\r 


Pi 



The various functions (j) and xp just compute the ad hoc director strings. The 
details of the functions are not essential and omitted, but they are generated 
recursively in the same way as above from the table below (left): 



0-1 Pi 


<t>l 


4^r 




V’2 


1p3 


So for instance : 


r\ e 


r\ 


r\ 






A 


4>i{r\a, p) = rx (pi{a, p) 




e 




r\ 




r\ 


a, r\ p) = Y{<J, p) 






e 








a,-r\ p)=-r\ p) 



These rules deserve some explanations: 

— The Var rule is the simplest. When the substitution reaches such a place 
holder, we know that it is indeed the right variable (because the substitution 
has been guided there earlier). Notice that here a =o" for some n, and all 
the information we need is in the directors of v (we discard cr). 

— The rules for application are the main rules here. Depending on pi, the 
substitution is guided to the left or right, or copied in App^ only when there 
is more than one occurrence of the given variable. The new director strings 
are computed by ad hoc functions from a and p (omitting the director of 
the last one). 
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— Surprisingly enough, the rules that allow an open substitution to pass through 
an abstraction {Lam and LamE) are very simple. This is a quite remark- 
able property, as this is especially difficult in usual calculi. For example, it 
requires a-conversion in a calculus with names. 

— The Comp rule is almost identical to App 2 , except that the application 
is replaced by a substitution. We could have written composition rules for 
substitutions similar to Appi and App^, but the substitutions would then be 
allowed to overtake (i.e. their order would not be preserved), which means 
that the system would trivially fail to preserve strong normalization. 

— We have a small number of propagation rules in comparison with standard 
explicit substitution calculi. However, our rules require non-trivial syntac- 
tical computations on director strings when we consider arbitrary substitu- 
tions. The system can be drastically simplified if we impose some restrictions 
on the substitutions, as we will see in the next section. Note that the condi- 
tion on Pi has been externalized only to improve readability and is of course 
a simple pattern-matching. 



Example 2. We show a reduction sequence using this calculus. Consider the A- 
term Aa;.(Aj/.y)a; which contains a single redex: 

[Aa;.(A2/.y)a;l = (A((An)^D)-)^ - (A(Dp])^)^ - (AD)^ = IXx.x^ 

Note that an encoding into combinators, using director strings as presented 
in [11], would not allow this redex to be contracted, and thus if used as an 
argument could potentially be duplicated. In this sense, our calculus offers a 
generalization of the director strings of [11]. 

3.3 Erasing 

To write a BetaE rule we need a new director ’ meaning that we erase the 
substitution it concerns. This director may appear anywhere in a string (in the 
general open rules), so is a director on its own. Moreover, it may appear on 
binary, as well as unary symbols, so may be mixed with either ,r^, or f. If 
we do add this director, we can then write: 



BetaE ((A Cy uY C p' = f{a,p) 



where / is a recursive function that computes the new director string as follows: 



/(r>cr, p) = -f{a,p) 
f {^ a, a p)= a f{a,p) 
f (Y a,a p) = a /(a, p) 



Obviously, every rule in the system has to be rewritten to take into account 
the new director. These changes are straightforward and we omit them due to 
space constraints. 
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3.4 Properties 

The aim of this paper is not to study the properties of the above system as a 
rewriting system, but rather to use it to implement efficient reduction strategies. 
However it is worth briefly stating several important properties, omitting the 
proofs. First, arbitrary /3-reductions can be simulated in the following sense: if 
t — u in the A-calculus, then |t]| |u] in Aq. Additionally, Ao is (ground) 

confluent and preserves strong normalization. 

4 Simplification 

We now have a general framework to simulate the A-calculus with a director 
strings notation. However, our aim is to search for new efficient reduction strate- 
gies, so we may give up completeness if we can gain some efficiency and simplicity, 
provided that we are still able at least to reduce closed terms to weak head nor- 
mal form, which is the widely accepted minimal requirement for a A-evaluator, 
such as found in functional compilers and interpreters. 

4.1 The Local Open Calculus 

Let’s have a second look at the above defined calculus. From an algorithmic 
point of view, the rewrite rules cannot be clearly considered as constant time 
operations, because we have to access directors at arbitrary positions in strings, 
and the computation of the new director strings looks a priori linear in the size 
of the original ones. 

If we now have a closer look at the Beta rule, we may notice that for a redex 
where the function is closed, we generate a substitution for the first (and only) 
variable of the function body (which was bound by the abstraction). Moreover, 
we know from [8] that restricting /3-reduction to closed functions still allows 
to reach weak head normal form, for closed terms. In this section we will thus 
describe the calculus resulting from this restriction which greatly simplifies the 
rules. This calculus will be called local open (A;) because it still allows open 
substitutions to propagate, even inside abstractions. This does not need global 
rewrite steps if we restrict the syntax to allow substitutions for the first director 
only. 

Defiuitiou 2 (A/-calculus). Below are shown the reduction rules for the local 
open calculus. 
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Name 


Reduction 


Beta 


{{xtr uY 




{t[u]r 


BetaE 


{{x-tY ur 




t 


Var 


(□H)" 




V 


Appi 


((t 






ApP2 


((t 




{t (uH)-'"-''"’')-”'^ 


Appj, 


((t m)Ap[^;])^’""^” 






Lam 


((At)^^H)'^ 




(A(tH)--)^'^' 


LamE 


((A-t)^^H)'^ 




(A-(tH)-)^'^' 


Comp 









Even though the rules in this system apply to terms with director strings of 
a particular pattern, the system is still suitable to reduce general terms, thanks 
to the following property. 

Lemma 2 (Completeness of the reduction). In any reduct of a closed com- 
piled term, any subterm of the form (t[u])‘^ has a director string a =r\^ ■ 
for some natural numbers m,n. 

Proof. It is sufficient to notice that the rules for propagation only generate sub- 
stitutions of this form, and that the Beta rule does as well: if the term {{XtY uY 
is well- formed (and it is by induction) then a is of the form □ 

We remark that, in this calculus, we allow even open substitutions to pass 
through abstractions, without any global reduction step. This is of course one 
of the greatest strengths of this calculus, compared to those based on names or 
de Bruijn indices. 

Proposition 1 (Properties of A;). The calculus is correct, adequate for reduc- 
tion to weak head normal form, confluent, and preserves strong normalization. 

Proof. The proofs are easily adapted from those for Ac found in [8] and [7]. □ 



4.2 The Closed Calculus 

The notion of closed reduction was introduced in [7] using a calculus of explicit 
substitutions with names where /3-reductions are performed when the function 
part is closed (as above) and substitutions are propagated through abstractions 
only if they are closed, which is crucial to avoid a-conversion in a named setting. 
These restrictions are expressed by rewrite rules with external conditions on free 
variables, and the internalization of these conditions was the main motivation 
for the introduction of director strings in [8]. 

Here we can easily derive a calculus for closed reduction (Ac) from the table 
above: Beta, BetaE, Var are the same; in every other rule we force v to be closed. 
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that is, to have an empty string (e). Moreover, in Appi 2 , 3 , m = 0, and in Comp, 
m = p = 0 and n = q. This thus leads to a very simple rewriting system for 
weak reduction with several advantages: 

— closed substitutions can be propagated through abstractions, which permits 
more sharing of work than in standard weak calculi, 

— we forbid copying open terms, which ensures that we never duplicate a po- 
tential redex, 

— the usual properties still hold [7,8]: 



Proposition 2 (Properties of Ac). The calculus is correct, adequate for reduc- 
tion to weak head normal form, confluent, and preserves strong normalization. 



5 An Abstract Machine for Evalnation 

In this section we will exhibit a strategy which makes use of the explicit in- 
formation carried by director strings to efficiently reduce closed terms to weak 
head normal form. Efficiency is measured with respect to the total number of 
rewriting steps (not just /3-steps) and we will give experimental comparisons in 
Section 7. 

Notice that the syntax of director strings allows us to identify the moment 
when we have to copy a term, and we can reduce it before copying. In particular, 
we may want to use the most general rules, in order to be able to reduce a 
term to be copied to its full normal form, thus avoiding to copy any redex. 
However, if we do so, then open substitutions are allowed in App^ as well, which 
means that terms with free variables, i.e. potential redexes, might be copied. 
Our experimental tests confirmed that restricting just that rule to the closed 
case, we obtain a strategy very similar to closed reduction. This is because 
the propagation of an open substitution is very likely to be blocked by this 
restriction. Thus, the best strategy we found is based on the closed calculus, 
which is quite a good news since it is also the simplest. 

We cannot expect to reduce to full normal form with the closed rules, but 
some open terms can still be reduced. Thus, our strategy to compute the weak 
head normal form of a term t can be summarized as follows: we use the closed 
calculus, which allows some extra reductions under abstractions, but we stop 
the reduction as soon as we reach a weak head normal form of t. The extra 
reductions are done only when we reduce a subterm to be copied, to share more 
work than in usual strategies. 

To formally specify this strategy we will interleave one strategy which reduces 
under A’s and one which does not. We thus define three relations: ~^f and 

— >■. The last one will be the strategy we want to exhibit. Below we give the 
operational semantics of the closed abstract machine: 
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t (Ar)^ V 



(Beta) 



t 



(x-vY 



(BetaE) 



{t uY —>-w V {t uY ->-u, V 

t V u ^ (Ar)'^ A (f ^ (A^r)*^ V /9 e) 

{t uPy {v upy 

uY w {t {u[v'^])-^'"'''y ^yjW 

(^ppl) ~F71 — (App2) 



{{t ~^w W 



((t u)^p[v’^]y ~^w W 

{{t u)Xp[v-]y w ^ ^ 

(A(i[u'=])'^''’''^')P V (A-(t[u"])'^''’V u 

(Lam) : — (LamE) 



((Ai)'^P[u^])‘=" V 

V -^U] W 



((A-t)ip[M'=])'" V 



{t[{u[v^])-^''’']y w 

(□[w])'^ {{t[u])^P[v^]y W 

t u {u[vP]y -^^wpYe 

{t[vp]y w 



(Va 



(Comp) 



The reduction relation — is used as a tool to define the other two and should 
not be interpreted on its own, as it does not treat the case of an abstraction. 
Notice that the App^ rule calls the stronger reduction — >■/, which is defined by: 

t ^yj V t^fV t^fV 

V {xty -)>/ (Au)'^ (A-t)<^ -^f {x~vy 

— >■/ is the relation which reduces under A’s (but not to full normal form). 

t -^y, V 

t -)> V {Xty -)> {Xty {x~ty {x-ty 

Finally, — >■ is the combination of the two other relations: we reduce to weak 
head normal form, but we reduce more the subterms that will be copied. 

It may seem that the machine returns terms which are not head normal forms 
(cf. (Arg) rule). In fact, the theory ensures that this is not the case: starting from 
a closed term, the closed rules allow us to reach a weak head normal form (see 
Proposition 2). Nevertheless, the (Arg) rule may be applied in a reduction of a 
term to be copied, so it is indispensable. 

The (Subst) and (Comp) rules call for a comment: the restriction on (Suhst) 
{v open) forces (Comp) to be used as much as possible before reducing to the 
left of a closed substitution. Both intuition and experimentation confirm that 
this is indeed the good choice. 



6 Reduction to Full Normal Form 

We have presented so far a rather complex system to fully simulate /3-reduction 
and simpler systems to reach only weak head normal form. If we were however 
interested in computing full normal forms, which is the case for many applica- 
tions (e.g. partial evaluation or proof assistants), then we could of course use the 
general setting. But this is not really satisfactory because of the complexity and 
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inefficiency of this system. Moreover, it does not provide any guidance towards 
an efficient strategy. On the other hand, we have an efficient strategy to reduce 
closed terms to weak head normal form. The idea then naturally arises to use 
our efficient weak evaluator to reach full normal form, in a way similar to [4] . 

The idea is to reduce a closed term to weak head normal form, then to distin- 
guish the variable bound by the outermost abstraction in some way (to “freeze” 
it), so that we can still consider the term under the A as closed, and recursively 
apply the same process to this subterm. There are several ways to distinguish 
those variables in the syntax. Below we present two natural alternatives. 

With names. If we choose to represent the frozen variables with names, we can 
avoid any complex manipulation of the director strings to keep track of the paths 
to these variables. As a result, we obtain a rather simple system because we can 
use the usual rules (for example the closed ones), where the frozen variables are 
just considered as constants and do not need any extra rule. Moreover readback 
into named A-calculus is then performed at the same time. 

Formally, we extend the syntax of terms in the following way, where a ranges 
over strings, and x ranges over variable names: 

t,u ::= □ I (At)”^ I {X~ty \ {t \ {t[u]Y \ x \ X'x.t 

that is, we add named variables, whose implicit director string is e, and named 
abstraction binding written as X'x.t. We do not write any director string for this 
abstraction, since we will always consider closed terms of this form. 

Using a weak evaluation relation we can then define reduction to full 
normal form jj-y. 



t U-u, {Xt'Y (i^la;])'^ 2 ; fresh 

t U-/ X'x.t" 

t fj-u, {X~t'Y t' Yf t" X fresh 
t Yf X'x.t" 

t fj-u, X (x variable) 
t Yf X 

t Yw (u v)'' uY/u' vil-fv' 
t Yf (u' u')*^ 

Notice that the last rule is used since we are now in a calculus with constants 
(the named variables), and the weak head normal form of a term may be an 
application (e.g. (x ty where a; is a named variable). 

If we want to reduce an open term, say with n free variables, we first take n 
fresh variable names x\, . . . ,Xn and start the reduction from: 

((. . . ((tH)-”'^ . . [x„_i])-[x„])^ 

The reduction to normal form follows exactly the same strategy as the corre- 
sponding weak reduction. Thus, for terms for which full and weak head normal 
forms are the same, the two processes need the same numbers of f3 and total 
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steps. In particular, this strategy is much more efficient than the usual naive 
one. 

Although we now have to deal with names and fresh variables during reduc- 
tion (which was not the case for reduction to weak head normal form), we still 
do not have to deal with name capture and a-conversion. Also, the readback is 
now simplified. 

With directors. The previous strategy performs readback at the same time as 
computation of the normal form, which may, or may not, be wished. We can 
however implement a similar idea using only directors, obtaining a result in this 
syntax. We just need a way to distinguish between usual variables, and frozen 
ones, which correspond to an abstraction outside of the term we actually want 
to reduce to weak head normal form. This can be done in a quite obvious way: 
by introducing a new kind of directors corresponding to these frozen variables. 
However, the frozen part of director strings may be of any form, so we need 
to use the general rules on this part. From an algorithmic point of view, this 
means that the cost of a reduction step may be at most linear in the depth of 
A-abstractions in the resulting normal form, which still seems reasonable. 

7 Experimental Results 

Our work has always been motivated by efficiency, so it was essential to im- 
plement our machines and compare them experimentally to existing machines. 
However it is difficult, if not impossible, to find a relevant measure to com- 
pare machines implemented in different frameworks. The following benchmarks 
should thus be taken with great care. It is not intended for direct comparisons 
between strategies (as the algorithmic cost of a single step may vary) but to 
illustrate their respective asymptotic behaviours. 

We chose our examples in AI (i.e. terms without erasing) in order to iso- 
late the problem of erasing, which is quite orthogonal to the problem of ef- 
ficiency on Al-terms. The Church numerals are an excellent means to pro- 
duce a panel of large A-terms. We recall that Church numerals are of the form 
n = A/.Ax./"x and that application corresponds to exponentiation: nm = rri^. 
We apply Church numerals in our examples to 1 1, where I = Xx.x, which is suf- 
ficient to force reduction to full normal form, and allows comparisons between 
weak and full reducers. 

We compare our machines with a standard call-by-value evaluator (which 
is always better than call-by-name on these examples), and in addition to the 
optimal interpreter of Asperti et al. (BOHM [3]). The latter result provides a 
comparison with the best known evaluator for such terms. We show the total 
number of steps of these evaluators (including stack manipulations) . For BOHM 
we give the total number of reduction steps. We show the number of /3-reductions 
between round brackets, thus the number shown for BOHM is the minimum 
number of /3-reductions possible. The results for the machines that reduce to 
full normal form are not shown, as they are the same as those of the underlying 
weak strategies on these examples. 
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Term 


closed 


weak closed 


CBV 


BOHM 


2211 

222II 

322II 

5511 

422II 

522II 

22222II 


61 (9) 

140 (19) 

248 (33) 

217 (33) 

448 (59) 

832 (109) 
1507714 (196655) 


71 (11) 

361 (47) 

5842 (705) 

28161 (4065) 
1524963 (179395) 


82 (11) 

302 (42) 

3508 (531) 
26669 (3913) 
852306 (131108) 


40 (9) 

100 (16) 

184 (21) 

229 (33) 

342 (26) 

847 (31) 

1074037060 (61) 



It is not easy to find a relevant measure for comparison with abstract ma- 
chines found in wide-spread evaluators. However, to put some of these results 
into perspective, we remark that the actual time taken to compute, for example, 
5 2 2// using OCaml is around 5 minutes, and around 3 minutes using Standard 
ML. The results for both closed reduction and BOHM are essentially instanta- 
neous. 

The main point that we want to make with the above table is that closed 
reduction, a simple implementation of the A-calculus, clearly out performs tra- 
ditional strategies, such as call-by-value, and moreover is a serious competitor 
to highly sophisticated implementations, such as BOHM. 

The interesting point is the comparison on large terms. The results show 
that our machine is able to reduce larger terms than the other machines, and 
the larger the term, the better is our machine compared to the others. This hints 
that it allows for a high degree of sharing (because the larger the term, the more 
possible sharing). The last line of the table shows that our machine eventually 
explodes in terms of number of /3-reductions compared to the optimal one but 
outperforms BOHM in total number of steps, which is our notion of efficiency. 

We also compared our machine to a so-called “weak closed” one, which is 
the same but forbidding reductions under abstraction. This is to emphasize that 
allowing such reductions, which is especially easy with director strings compared 
to usual calculi, is crucial for both sharing and efficiency. 



8 Conclusion 

We have presented a name-free syntax to represent terms of the A-calculus with 
explicit substitutions, in a way that follows the usual intuitions about the oper- 
ational semantics of the propagation of substitutions. We have given a general 
calculus on director strings which can fully simulate the A-calculus, with rather 
complicated rules. We then described an intermediate calculus, the local open 
calculus, with very simple rules and still allowing open substitutions to traverse 
abstractions without global rewriting. Finally, we derived the closed reduction 
calculus of [8], which internalizes the conditions on the original system [7]. 

These calculi were used as a basis to describe and implement abstract ma- 
chines for weak and strong reduction (the latter was an open problem for director 
strings). Efficiency was our main motivation and guided every one of our choices. 
We found on practical examples that these machines are quite efficient on large 
terms and allow for a high degree of sharing. In particular, they quite favourably 
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compare to standard evaluators, which suggests that more efficient implemen- 
tations of functional languages and A-calculus based proof assistants are still 

possible. 
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Abstract. Rewriting Logic has shown to provide a general and elegant 
framework for unifying a wide variety of models, including concurrency 
models and deduction systems. In order to extend the modeling capa- 
bilities of rule based languages, it is natural to consider that the firing 
of rules can be subject to some probabilistic laws. Considering rewrite 
rules subject to probabilities leads to numerous questions about the un- 
derlying notions and results. In this paper, we discuss whether there 
exists a notion of probabilistic rewrite system with an associated notion 
of probabilistic rewriting logic. 



1 Introduction 

Rewriting Logic [19] is known to provide a very elegant and powerful framework 
for unifying a wide variety of models, including concurrency models and deduc- 
tion systems. Indeed, the basic axioms of this logic, which are rewrite rules of 
the form t ^ t' , where t and t' are terms over a given signature, can be read in 
two dual ways: computationally, t ^ t' can be read as the local transition of a 
concurrent system or logically, t ^ t' can be read as the inference rule of some 
logic [19]. Several computer systems, including MAUDE [11] and ELAN [7], 
are based on this framework and have been intensively used in the last decade 
for the prototyping of various kinds of logics and systems: see survey [18]. 

In order to extend the modeling capabilities of rule based languages, it seems 
natural to extend the framework with probabilities: for example, the modeling 
of concurrent systems requires often to consider that the local transitions t ^ t' 
can be subject to some probabilistic laws [8]. This leads to numerous questions 
about the underlying theories and results. 

In a previous RTA paper [8] , strategies were shown to provide a nice setting 
for expressing probabilistic choices in rule based languages. Probabilistic abstract 
reduction systems and notions like almost-sure termination or probabilistic con- 
fluence were introduced and related to the classical notions. 

This paper is devoted to a next step: understand whether there exists a 
valid and useful notion of rewrite system and rewriting logic in presence of 
probabilities. 

In classical (non-probabilistic) rewriting theory each rewrite system induces 
a reduction relation which defines the relation of an abstract reduction system 
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over the terms: see e.g. [2]. When considering systems with probabilistic firing 
of rules, the analog of abstract reduction systems seems to be the notion of 
probabilistic abstract reduction systems introduced in [8] . Can we build a valid 
and nice notion of probabilistic rewrite system, that would induce probabilistic 
abstract reduction systems over terms in a natural way? 

A first natural idea seems to consider the following notion: define a proba- 
bilistic rewrite system as a classical rewrite system, i.e. a set of rewrite rules, 
plus associated probabilities (or weights see discussions later): i.e. a probability 
(or a weight) for each rule. 

In the classical setting, the reflexive transitive closure of the relation induced 
by some rewrite system can be proved to correspond to the smallest reflexive 
transitive relation that contains the identities involved by the rewrite system 
and which is closed by substitutions and A-operations: see e.g. [2]. That means 
in particular that one can build a sound and complete proof system that decides 
if two terms are in relation by the reflexive transitive closure of the reduction re- 
lation of a given rewrite system. This proof system corresponds to the deduction 
rules of Rewriting Logic [19]. Does that work in the probabilistic settings? 

We prove in this paper that there is no hope to build a sound and complete 
proof system that would prove whether two terms are in relation by the reflex- 
ive transitive closure of the reduction relation of a given rewrite system with 
associated probabilities in the general case. Does there exist however a notion of 
probabilistic rewriting logic? 

We propose a notion of probabilistic rewriting logic. One main difference 
between the proposed setting and the classical rewriting logic setting is that 
proof terms become now mandatory, in order to have completeness results: we 
prove that when proof terms are present, probabilistic rewriting logic is sound 
and complete. 

One main interest of rewriting logic lies in its modeling capabilities [18,19]. 
We show that the proposed probabilistic rewriting logic extends the modeling 
capabilities of classical rewriting logic. 

This paper is organized as follows: classical non-probabilistic theory is re- 
called in Section 2. Probabilistic abstract reduction systems are recalled in Sec- 
tion 3. Several computability theory results which show that this is not way to 
have sound and complete proof systems that deal correctly with transitivity are 
proved in Section 4. The proposed notion of probabilistic rewrite system with 
its associated semantic is introduced in Section 5. The associated sound and 
complete probabilistic rewriting logic is discussed in Section 6. The modeling 
capabilities of probabilistic rewriting logic are exemplified in Section 7. Section 
8 discusses related and future work. 



2 Rewriting Logic 

We need first to recall some classical notions and results (we follow the notations 
and terminology from [2]): T{E,X) denotes the set of terms over signature S 
and disjoint set of variables X. When t G T(X,X) is a term, let Pos{t) be the 
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set of its positions. For p G Pos{t), let t\p be the subterm of t at position p, and 
let t[s]p denote the replacement of the subterm at position p in t by s. The set 
of all substitutions is denoted by Sub. 

Definition 1 (Labeled rewrite system). A labeled rewrite system {TZ,C) 
consists of a set TZ C T{E,X) x T{E,X) of rules and a set C of labels, such 
that each rule in TZ is bijectively associated to a label in C. We write g ^ d G TZ 
for {g, d) GTZ and {I \ g ^ d) when I G L is associated to g ^ d G TZ. 

Definition 2 (Abstract Redaction System). An abstract reduction system 
(A,— >■) consists of a set A and a binary relation -G on A, called reduction rela- 
tion. We write a ^ b for (a, b) G— >■, and we write -G* for the reflexive transitive 
closure of -G. 



Definition 3 (Reduction relation). Let TZ be a rewrite system. The associ- 
ated reduction relation -GnQ T{E,X) x T{E,X), also denoted by -G when TZ 
is clear, is defined by t -G-jz t' iff3{g -G d) G TZ,p G Pos{f),a G Sub, such that 
t\p = a{g) and t' = t[a{d)]p. 

A rule g ^ d GTZ will be said to be applicable at the root of term t if position 
p can be chosen as the root position: i.e. there is a substitution a G Sub with 
t = a{g). In that case, a{d) is the the result of its application. 

The idea of rewriting logic is, for a given rewrite system TZ, to consider -Gn 
as the description of a transition system over terms. 

Definition 4. The executional semantic of a given rewrite system TZ is the 
abstract reduction system Sn = {T{E,X),^n). 

The derivations of this abstract reduction system correspond to the provable 
sequents of a logic, called rewriting logic. This logic talks about sentences of the 
form t -G t' , meaning that t can evolve toward t' in Sn [19]. 

Proposition 1. [There exists a sound and complete proof system for -G* [19]] 
Suppose rewrite system TZ is fixed. Two terms s,t G T{E,X) are related by -G* 
iff t ^ t' can be established starting with axioms I -G r for each rule I ^ r gTZ 
by the following proof system: 

Refiexivity: iftGT{E,X), 



t — )■ t 

Congruence: if f G En, 

t\ ^ t[ ■ ■ ■ tn — >■ 

f{ti,...,tn) -G f{t[,...,t'J 

Replacement: if I : g{xi, ...,x„) — >■ d{xi, ...,x„) G TZ, 

ti — >■ t'l • • • tn — >■ t'„ 

p(ti,...,t„) -)> d{t[,...,t'J 
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Transitivity: 



ti — >■ ^2 ^2 ^3 



Remark 1. Rewriting logic is generally defined considering rewriting modulo: se- 
quents correspond to quotient set T{S, X)/e where £1 is a given set of identities 
[19]. In this paper, we will not consider terms modulo a congruence class. Further- 
more, we will not allow conditional rules. We believe this restricted framework 
to be enough interesting by itself for the following discussions. 

Remark 2. In order to represent both a reduction and the proof tree that induces 
this reduction, proof terms can also be considered: the set VT of proof terms is 
defined as the set T{S U £ U {; }, X) of terms on the signature X extended with 
the labels of C and the binary concatenation operator [10]. Rewriting logic 
deduction rules can then be adapted to derive sentences of the form tt : t — >■ £ 
meaning that t evolves toward t' in Sn using path encoded by proof term tt': 
see [10,19]. But, as shown by previous proposition, unless one wants to define 
the notion of model [19], or the notion of strategy [10], proof terms are not 
mandatory. 

3 Probabilistic Abstract Reduction Systems 

Let S' be a countable finite or infinite set. A stochastic sequence (Al„)„>o on S 
is a family of random variables from some fixed probability space to S. 

Definition 5 (Homogeneous Markovian Stochastic Sequence). A 

stochastic sequence (A„)„>q is Markovian if its conditional distribution function 
satisfies Vtt,^ ^ S, p(A^ — f ^ | i , . . . , Aq — i^'j — — 

i„\Xn-i = in-i)- It is said to he homogeneous if furthermore this probability is 
independent of n. 

In other words, Markov property means that the system evolution does not 
depend on past, but only on present state. The homogeneity property means 
that the dynamic is independent of time. 

In that case, P = (pij)ij^s defined by pij = p{Xn = j\Xn-i = t) is a 
stochastic matrix on S: i.e. it satisfies for all i,j € S, pij € [0, 1] and for all i, 
'^jPij = 1. It is called a matrix even when S is infinite. Homogeneous Marko- 
vian stochastic sequences (HMSS) and stochastic matrices are in correspondence, 
since conversely to any stochastic matrix P = (pij)ij^s corresponds a homo- 
geneous Markovian stochastic sequence: if at time n the system state is i G S', 
choose at time (n -I- 1) system state j with probability pij. 

In [8] , we suggested to extend abstract reduction systems in a homogeneous 
Markovian way: 

Definition 6 (PARS). A Probabilistic Abstract Reduction System A = (A,'^) 
consists of a countable (finite or infinite ) set A and a mapping from A x A 
to [0, 1] such that for all s € A, s t = 0 or 1. 
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A PARS A is like a HMSS on A whose stochastic matrix is P = (s t)s,t- 
However contrary to a HMSS, a state can be irreducible, that is such that 
s t = 0. Actually, a PARS can be transformed into a stochastic matrix 
by adding a new state _L and reducing irreducible states to _L: let S' = A U {_L} 
the extension of A with _L. Extend on S x S by 

s ~^_L = 1 ifssAis irreducible 
s ~^_L = 0 ifssAis reducible 
A t = 0 for all t € A 
A A = 1 



Definition 7 (Derivation). A derivation of A is a corresponding HMSS on S. 

PARS correspond to the extension of Abstract Reduction Systems (ARS) with 
probabilities. Indeed, to a PARS A = (A,-^) can be associated a unique ARS 
(A,— >■), called its projection, obtained by forgetting probabilities: s — >■ t if and 
only if s t > 0. Conversely, to any ARS can be associated several PARS by 
distributing probabilities over the possible derivations: the projection of these 
PARS will be the original ARS: see [8] for a full discussion. 

4 Probabilities and Transitivity 

We now come to the main object of this paper, that is to discuss whether there 
exists a notion of probabilistic rewrite system with some executional semantic 
for which there exists some associated notion of probabilistic rewriting logic. 

We have not yet defined what probabilistic rewrite systems are, but one may 
expect a probabilistic rewrite system to correspond to a classical rewrite system 
with somehow the addition of probabilities. One may also expect its executional 
semantic to be defined as a probabilistic abstract reduction system over terms. 
In other words, one would expect to define probabilistic rewrite systems and their 
executional semantics by distributing in some manner the probabilities over the 
executional semantic of classical rewrite systems. 

The point is to get something “nice” : one may in particular want to have re- 
sults in the spirit of Proposition 1: there is some associated sound and complete 
proof system that could derive whether two terms are related in the correspond- 
ing executional semantic. If it were so, guided by classical theory, we would then 
call this complete proof system probabilistic rewriting logic. 

However, we prove in this section that there is no hope to get such a sound 
and complete proof system. 

We start by a computability theory result about homogeneous Markovian 
stochastic sequences: observe that, when P is a stochastic matrix, and n is an 
integer, P" is a stochastic matrix whose entries give the probability of 

going from i to j in n steps [9]. We show that even two steps transitions, that 
is P^, is not computable in the general case: a stochastic matrix P = 
is said recursive if all its entries are rational and there exists a Turing machine 
that given i,j outputs Pij. Such a matrix can be represented by an index of a 
corresponding Turing Machine. 
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Theorem 1. The decision problem “given a stochastic matrix P, and some ra- 
tional q, decide if top-left entry of is q” is not recursively enumerable. 

Proof. The halting problem “given integer w, decide if Turing machine number 
w accepts input w” is recursively enumerable non-recursive, and hence, its com- 
plement Co — Halt can not be recursively enumerable. We only need to prove 
that problem Co — Halt reduces to our problem. 

Given an input w of Co — Halt, consider the matrix P = {Pi,j)i,j where 
Pij- = ^ for all j, Pij = 0 for all j > 2, Pi^x = 0 (respectively: Pi ^2 = 1) if 
Turing machine number w over input w halts in less than i steps, ^ otherwise 
(resp. 1 — ^ otherwise). P is a recursive stochastic matrix: all its entries are 
computable rationals of [0, 1], and for z = 1, we have ’^jyiPij = ^ 

and for z > 1, J2j>iPij is Pa + = 0 -I- 1 or ^ -|- (1 — i) = 1 according to 

whether Turing machine number w stops on input w in less than z steps or not. 

Assume that Turing machine number w does not accept input w. For all 
z > 1 we have pn = i and pi 2 = I — The top-left entry of P^ is given by 

J2k>lP^kPkl = J2k>i {^) = |- 

Assume that Turing machine number w accepts input w at time ZQ.We have 
Pii = ^ and pi 2 = 1 — ^ for all i < io and pn = 0 and Pi 2 = 1 for all i > io. 
After a certain row, the first column elements of matrix P are 0 and the second 
column elements are 1. The top-left entry of P^ is given by = 

Et.(A)’ = l(i- A)<l- 

Hence, problem Co — Halt reduces to our problem considering matrix P and 
rational q = 1/3. 



Remark 3. The previous proof also shows that the problem of determining if 
the top-left entry of P^ is > q is not recursively enumerable. The problem of 
determining whether it is > g can be shown to be recursively enumerable but 
non recursive. 

We now come back to rewriting and probabilities. A point is that one expects 
the notion of probabilistic rewrite system to cover at least homogeneous Marko- 
vian stochastic sequences: indeed, any stochastic matrix P = {pij)ij on set of 
states S can be considered as a rewrite system with probabilities: take a constant 
for each element z G S' and write a rule z — >■ j with associated probability pij for 
each i,j. 

Suppose there were a sound and complete proof system that could derive 
whether two terms are related in the executional semantic of a given probabilistic 
rewrite system. It is rather natural to expect this proof system not only to talk 
about whether there is a path between two terms in the executional semantic but 
also to talk about the probability of this path: otherwise it would have nothing 
to do with probabilities. In other words, it is natural to expect such a proof 
system to derive sentences of type t t' (or t t') meaning “term t can 
evolve to term t with probability p (respectively in n steps). 

We show this is impossible (observe that you can fix n = 2 in what follows): 
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Theorem 2 (There is no sound and complete proof system for 

There is no way to eonceive a sound and complete proof system (axioms + de- 
duction rules) that could derive in the general case for all terms s,t and integer 
n the probability s t of going from s to t in n steps. 

Proof. Assume there were a finite (or even a recursively enumerable) set of ax- 
ioms and a finite (or even recursively enumerable) set of deductions rules that 
would allow to give probabilities s t for all s, t, n. By enumerating recursively 
axioms and proofs we could enumerate all the possible proofs. Hence, the prob- 
lem “given some probabilistic rewrite system, some terms s, t and some rational 
q, decide ii q = s t” would be recursively enumerable. This is in contradic- 
tion with Theorem 1 considering systems describing a homogeneous Markovian 
stochastic sequence. 

One may argue that the previous arguments relies on systems with a non-finite 
set of rules, or that we do not talk about reachability in any number of steps. 
Actually, we prove: 

Theorem 3. The decision problem “given a PARS represented by a finite set of 
rewrite rules with probabilities, some states s,t, decide if the probability s t 
of going from s to t in any number of steps is q” is not recursively enumerable. 

Proof. We only need to reduce non-recursively enumerable decision problem 
Co — Halt to our problem. Let E be the set of couples {w, t) such that Tur- 
ing Machine number w halts on input w in less than t steps, if is a recursive set. 
By Bergstra-Tucker theorem [6], there exists a confluent rewriting system on a 
signature E D {0, s. In}, where 0 is a constant symbol, s is an unary (successor) 
function symbol, and In is a binary function symbol, such that for all x,t>Q, 

/n(s^(0), s‘(0)) — >■* 0 ii{x,f)£E 
— >■* s(0) if (x, t) ^ E 

Consider signature E' = E U {F,Run}, where F is binary. Run unary (and 
these symbols are not in E). Consider the rewrite system TZ composed of the 
rules of the rewriting system associated to E plus the rules: 

Run{x) — >■ F{x, 0) 

F{x, t) — >■ f\x, s(t)) 

F{x, t) — >■ In{x, t) 

Build a PARS on T{E',X) by assigning probabilities to the reductions of 
IZ\ put probability 1/2 on the reductions F{x,t) — >■ F{x,s{t)) and F{x,t) — >■ 
In{x,f), and probability 1 on all other reductions. 

By construction, the probability p{w) that i?un(s“’(0)) reduces to s(0) is 




n|(ii;,n)0£^ 



2«+i • 
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Indeed, a reduction that leads to s(0) can be written as 

F{s^{0),0) ^ J^(s“(0),s”(0)) ^ 7n(s“'(0),s”(0)) ^ ^ s(0) 

and the probability of such a reduction is 

Observing definition of E, probability p{w) is 1 iff w G Co— Halt, and is < 1 
otherwise. Hence, problem Co — Halt reduces to our problem. 



Remark 4- The previous proof also shows that the problem of deciding whether 
s t is > g is non-recursively enumerable. Deciding whether it is > g can be 
shown to be recursively enumerable but non recursive. 

Using similar arguments to those used to establish Theorem 2, we get. 

Theorem 4 (There is no sound and complete proof system for 

Even when restricting to systems described by a finite set of rewriting rules, 
there is no way to conceive a proof system that could derive in the general case 
for all terms s,t the probability s t of going from s to t. 

5 Probabilistic Rewrite Systems 

We now present the notion of probabilistic rewrite system with the associated 
notion of executional semantic that we propose. 

The rules that can be applied on some term t depend on t. For example for 
the following rewrite system 



J Zi : f{a,x) -)> X 
X k ■■ f{x, b) ^ c 

over signature E = {/, a, b, c}, on term /(a, b) both rules h and k apply, but on 
term f{a,a) only rule l\ applies. 

Furthermore, on a given term t, one may have the choice to apply a rule at 
the root of the term, that is to use replacement rule, or to rewrite concurrently 
only (one or several) subterms, that is to use congruence rule. 

We would like to distribute probabilities over the possibilities: a first difficulty 
is that we can not hardwire directly probabilities: if we wanted to put probability 
Pi to rule li, for i = 1,2, on term /(a, b) we would expect pi + P2 = on term 
f{a,a) we would expect p\ = 1. This is impossible unless p 2 is 0, i.e. k never 
applies. 

Our proposition is to consider that we do not assign probabilities but weights: 
a weight is some positive real number. The following strategy is then proposed: on 
a term t, choose some applicable possibility (that is to say a rule that applies at 
the root of t or congruence rule for symbol / if term t is of type t = f{t \, . . . , t„) 
and some of the ti is reducible) selecting possibility i of weight Wi with probability 
, where w is the sum of the weights of applicable possibilities. 
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This strategy, even if often considered to avoid problems (see e.g. [14]), which 
requires to normalize weights to have true probabilities, and then choosing an 
applicable solution accordingly, may seem artificial. 

However, we claim that this is equivalent to a more natural strategy: since 
the previous strategy is unchanged if all weights are multiplied by some real 
positive constant, assume that weights Wi are chosen such that Yhi H 

can then be also obtained as follows: on a term t, choose any possibility selecting 
possibility i with probability Wi. As long as the chosen possibility can not be 
applied to t, repeat. When one succeeds to get one that applies to t, apply it. 

This is indeed a restatement of following easy observation. 

Proposition 2. Suppose that we have n alternatives that can he partitioned into 
“had ones” and “good ones”. Suppose that weights wi, . . . ,w„ (i.e. positive real 
numbers) are assigned to the alternatives in such a way that '^^Wi = 1. 

Then the following algorithm: 

1. Choose I G {1, . . . , n} selecting i with probability Wi. 

2. If alternative number I is a bad one, then repeat: i.e. goto 1. 

3. Answer “alternative number I” . 

never stops if there is no good alternative, returns with prohahility 1 some good 
one otherwise, returning alternative number i with probability — — . 

The following problem remains: suppose t = f(fi, . . . ,t„) and congruence 
is chosen. In the spirit of classical rewriting logic, we want to allow concur- 
rent rewriting, that is to allow several of the ti to be rewritten simultaneously. 
How should we distribute probabilities? We propose to choose the subterms in 
an independent way. Indeed, n probabilities q(,...,qf, (i.e. n real numbers of 
[0, 1]) are associated to each function symbol of the signature of arity n: in an 
application of congruence rule, subterm ti will be chosen to be rewritten with 
probability q{ . One technical point is that we assume that always at least one 
subterm is rewritten, and hence the probabilities are probabilities conditioned 
by this fact. 

In a same spirit, we want to allow concurrent rewriting of subterms in appli- 
cation of replacement rule. We assume that all the variables in the right member 
of a rule /:(/—>■ r of the rewrite system appear in the left member. Every rule can 
then be written as I : g{xi, . . . , a;„, . . . , Xn+k) r(xi, . . . , x„) where variables 
Xi,...,Xn are in both members and variables Xn+i, ... ,Xn+k are only in left 
member. We then suppose that to every such rule are associated n probabilities 
q[, ... ,ql^: in an application of replacement rule subterm tiwill be chosen to be 
rewritten with probability q\. Since replacement involves at least one rewrite, we 
do not expect that at least one subterm is rewritten. 

We have now all the ingredients. 

Definition 8 (Probabilistic Rewrite System). A probabilistic rewrite sys- 
tem {TZ,L,y\i) is given by a labeled rewrite system (JZ,C), where all variables in 
a right member of a rule of TZ appears in the left member, with the addition of 
the following: 
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1) a weight (positive real number) wi for each rule I € TZ, 

2) a weight Wf for each function symbol of the signature, 

3) n reals q{, ■ ■ ■ ,q( of [0, 1] for each function symbol f of arity n, 

4) n reals q\, . . . ,q\, of [0, 1] for each rule I : g{x\, . . . , Xn, ■ • • , Xn+k) 
r{xi, ...,Xn) ofTZ. 

The weights are assumed to be chosen such that '^fWf + '^iWi = 1. 

We can then introduce the following reduction algorithm: 

Definition 9. Given some probabilistic rewrite system, Reduction is the follow- 
ing recursive algorithm: 

Input: a reducible term t. 

Output: a term t' . 

Algorithm: 

1. Choose either a rule I GTZ or a symbol f of the signature, according to 
the probability distribution given by the weights. 

2. If a rule I : g{xi, . . . , , Xn+k) x{xi , . . . , x„) was chosen then 

2.1 If ]2(j € Sub with a{g) = t then repeat: i.e. goto 1. 

/* From now on, t = g(ti , . . . , tn+k) for some h,. .. , tn+k */ 

2.2 Choose Xi, . . . , X„ € {0, 1} with probability (X^ = 1) = ql. 

2.3 For i = 1, . . . ,n, let t'^ be the result of the recursive call of algorithm 
Reduction on U when Xi = 1 and U reducible and let t'i = ti otherwise. 

2.4 Return r{t'i, . . . 

3. If a symbol f was chosen 

3.1 If t is not f{ti, . . . , tn) for some ti, . . . , then repeat: i.e. goto 1. 

/* From now on, t = f{ti, . . . , for some ti, . . . ,tn*/ 

3.2 Choose Xi, . . . , € {0, 1} with probability (X^ = 1) = q( . 

3.3 If Xi = 0 for all i with ti reducible then repeat: i.e. goto 1. 

3.4 For i = 1, . . . ,n, let t'i be the result of the recursive call of algorithm 
Reduction on ti when Xi = 1 and U reducible and let t'i = ti otherwise. 

3.5 Return f{t'i, . . . ,t'^). 

Remark 5. This algorithm terminates with probability 1 when given some re- 
ducible t. If given some non-reducible t it runs for ever: this is a consequence of 
Proposition 2. 

We can then define: 

Definition 10. The executional semantic of a given probabilistic rewrite system 
{TZ,C,yV) is the corresponding probabilistic abstract reduction system on terms: 
it is defined as S-jz = (T{E, X),'^) where for all s,t, s p is 0 if s is not 
reducible, and the probability that algorithm Reduction returns t on input s if s 
is reducible. 

When {IZ,£, W) is a probabilistic rewrite system, call {IZ,C) its projection: that 
is, the classical rewrite system obtained by forgetting probabilities. We have 
from definitions: 
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Theorem 5. The projection of the executional semantic of any probabilistic 
rewrite system is the executional semantic of its projection. 



6 Probabilistic Rewriting Logic 



We now show that there is a sound and complete proof system if proof terms 
are explicit, i.e. if paths between terms are given. 

We propose a logic that works with sequents of type tt : t -^p t': when p is a 
positive real number and t' ^ _L, such a sequent means that term t can evolve 
to term t' in the executional semantic using the path given by proof term tt and 
that the probability of this path is p. The logic consists of three rules: refiexivity, 
congruence, replacement. Transitivity is not here because of results of Section 4. 

A sequent deduced from refiexivity in classical rewriting logic does not cor- 
respond to a reduction of the rewriting reduction relation. We suggest to distin- 
guish such a sequent from the others with the use of a new symbol replacing the 
probability: •. 

Refiexivity: for all reducible constant a, 



Ref : 

a : a — a 

We need a way to express that a term is non-reducible: we propose to use symbol 
_L. We assume that rules have been added to the rewrite system so that we have 
the rule {_La : a — >■ _L} for every non-reducible constant a. When t is a term, 
we denote by R{t) the set of rewrite rules that can be applied at its root. In 
particular, we assume R{a) = {J_a : a -L} for every non-reducible constant a. 
A sentence of type tt : t — >-p _L will mean that t is non-reducible. 



Congruence: for all / G A„, 

7Ti : ti — t'l 



C : 



Tl’n • tn ~^pn tn 



if i € / 
if i ^ I 



/(7Tl,...,7r„) : f{tl,...,tn) -Gp f(t'{,...,t'f) 

with p = ej , I = {i G {1, . . . ,n}|t' ^ _L} , t” = | 

• if Vi, Pi = • 

t = f{ti,...,tn). 



• li V t, Pi = ^ 



otherwise 



Here, I is the set of subterms that can be reduced. The rule is valid if / 0. If 

7 = 0, since f{t\, . . . , t„) is non-reducible, the rule becomes 

J-ti : t\ —>-1 A ... A 

'■ f (f 1 ) ■ • ■ j fn) ^1 -L 
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Replacement: for all I : g{xi, . . . , Xn+k) d{xi, . . . , x„) G TZ, 



T^n '■ tn ~^p„ 



. 7Ti : ti • 

^(^1 5 ■ ■ ■ 5 j ^ n +1 ; • ■ • j ^ n + fc ) ■ ^(^1 5 ■ • ■ 5 5 ■ ■ • ; ^ n + fc ) ^(^1 j • ■ ■ 5 ^ n ) 



with p=el , I = {i e {1, . . . , n}|t' yf ±} , t" = I I 

• if Vz, Pi = • 



if z G / 

Hi 4 I 



and 9j = 

' I ( 



( ^/+e 1 p)V,, ) (n.6/|p,=.(l-9D) otWzse 



Here the rule is correct even when / = 0. 

The previous rules distribute correctly probabilities onto rewrite rules (the 
proof can be found in [17]). 

Proposition 3. Let t be a reducible term. Let S{t) be the set of sequents tt : 
t — t' deductible from the rules [Re flexivity, Congruence, Replacement], and such 
that p yf Then Yhs{t) P = 1- 

The main property of this proof system is given by following result (the proof, 
based on repeated applications of Proposition 2, can be found in [17]). 

Theorem 6 (The above logic provides a sound and complete proof sys- 
tems for sequents with proof terms). Suppose probabilistic rewrite system 
TZ is fixed. For all t,t' G T{E,X), there is a path encoded by tt between t and t' 
in the executional semantic of TZ of positive probability p iff tt : t — t' with a 
positive p is provable using the previous three rules. 



7 Modeling Randomized Systems 

In order to argue that our notions of probabilistic rewrite systems, executional 
semantic and associated logic are natural, we now show how some systems can 
easily be modeled. We write I : g -^p d when weight p is associated to rule 
I '. g — y d. 

Example 1 (Coin flipping). We use constant symbols head and tail and the 
following system. 

^ih-.x -)>i /2 head 
( t : X —>- 1/2 tail 

Example 2 (Two players games). Each player has n euros at beginning. At each 
run, a coin is flipped. If it falls on head player 1 wins 1 euro from player 2. If it 
falls on tail, player 2 wins 2 euros from player 1. Game stops when one player 
is ruined. 

Current amount of a player is encoded using constant 0 and unary function 
s (successor). Binary function game is used to group both players, and two 
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constants Wi and W 2 are used to mean that player 1 or 2 wins. Weight 0 is 
assigned to function symbol game. The game is modeled by the derivations 
starting from (/ame(s”(0), s"(0)). 






hi : game{ni, s{s{n 2 ))) —>-1/2 game{s{ni) , s{n 2 )) 

/i2 : game{ni, s{Q)) —>-1/2 W\ 

ti : game{s{s{s{ni))),n 2 ) -^ 1/2 game{s{ni) , s{s{n 2 ))) 
t 2 : game(s(s(0)),n2) -^ 1/2 W2 



Example 3 (Two players with two urns). Two players can not see one another 
and have each an urn. At beginning there are n balls in each urn. At each 
round they can choose between taking a ball in their urn or doing nothing. With 
probability p urns are exchanged at each run by some external person. A player 
with an empty urn loses. 

We do as before with constant 0, Wi, W 2 and functions s and game. We put 
weight 0 to functions game and s. If the probability that player i takes a ball is 
Pi, we set = q{ = qi and = Qy = Q 2 - 






choose : s{x) — x 

ech : game{s{x) , s{y)) — >-p game{s{y) , s{x)) 

I : game{s{x),s{y)) game{s{x), s{y)) 

gi : game{0,s{y)) -)>i Wi 
g 2 : game{s{x),D) -)>i W 2 
n : game{0,0) — Tie 



8 Related Works, Discussions 

In this paper, we discussed the existence of a notion of rewriting logic in pres- 
ence of probabilities. We proved that, unlike what happens for classical theory, 
accessibility can not be effectively axiomatized, and thus that there is no hope 
to get a sound and complete logic that would cover transitivity. When transi- 
tivity is avoided, in particular when proof terms are explicit and mandatory, we 
proved that one can define a natural notion of probabilistic rewrite system with 
some associated semantic, and an associated sound and complete probabilistic 
rewriting logic. 

First-order logics have been proposed to deal with probabilities: see e.g. [3,15]. 
The impossibility of effective axiomatizations of several first-order logics with 
probabilities has been proved [1,15], but our results do not seem to follow directly. 

The idea of considering rewriting rules with probabilities has already been 
proposed and illustrated on several examples in [8,14,20], where it is observed 
that the probabilities cannot be hardwired directly to rules. Paper [8] proposes to 
avoid the problem by considering the notion of strategy. Papers [14,20] propose 
a solution similar to the one adopted here considering weights instead of prob- 
abilities. Observe that this trick has similarities with classical techniques used 
to extract a discrete time Markov chain from a continuous one [9], and hence is 
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sometime implicitly or explicitly used for high level modeling of continuous time 
Markovian systems (see e.g. [13]). 

Probabilistic rewriting logic provides a high-level tool for modeling proba- 
bilistic systems. Low level models include Markov chains [9] and Markov deci- 
sion processes if non-determinism is allowed [22] . Other high-level models include 
models based on Petri nets (cf survey [4]), on process algebra (cf survey [16]), 
or on automata (cf e.g. [5,13,21,23]). According to the classification [24], our 
proposition falls into the “generative” case. Observe that our proposition for 
definining congruence and replacement is similar to (covers) what [12] proposes 
for the semantic of parallel composition. 

The benefits of using a given approach for describing probabilistic systems, 
compared to another one, depend on the preferred way of describing world, 
but we believe that our setting is a rather natural and expressive setting, as 
classical rewriting logic is a rather natural and expressive setting for describing 
non-probabilistic reactive systems: see survey [18]. 

Future work includes investigating more deeply the expressive power of the 
logic. Considering rewriting with congruence classes may constitute a future 
work direction. Allowing conditional rewriting is another possibility. Another 
important direction seems also to understand model theory of these systems: 
Definition 10 reads like the notion of canonical model associated to some given 
probabilistic rewrite system. What is the notion of model of a given probabilistic 
rewrite theory? Which results of classical theory (see for e.g. the results in [18,19]) 
do generalize in this context? 
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Abstract. This paper gives an overview of the Maude 2.0 system. We 
emphasize the full generality with which rewriting logic and membership 
equational logic are supported, operational semantics issues, the new 
built-in modules, the more general Full Maude module algebra, the new 
META-LEVEL module, the LTL model checker, and new implementation 
techniques yielding substantial performance improvements in rewriting 
modulo. We also comment on Maude’s formal tool environment and on 
applications. 



1 Introduction 

Rewriting logic has been shown to have good properties as a semantic and logical 
framework [20] . The computational and logical meanings of a rewrite t ^ t' are 
like two sides of the same coin. Computationally, t ^ t' means that the state 
component t can evolve to the component t' . Logically, t ^ t' means that from 
the formula t one can deduce the formula t' . Furthermore, rewriting logic has been 
shown to have good properties not only for specification, but also as a declarative 
programming paradigm, as demonstrated by the mature implementations of the 
ELAN [1], CafeOBJ [15], and Maude [6] languages. 

We will focus in this paper on the main new features in Maude 2.0. We refer 
the reader to [4,5] for details on previous releases. Given space limitations, not 
even all these new features can be discussed here. The Maude system, its doc- 
umentation, and related papers and applications are available from the Maude 
website http : //maude . cs . uiuc . edu. 

The Maude 2.0 system supports both equational and rewriting logic compu- 
tation with high generality and expressiveness, yet without compromising perfor- 
mance. Functional modules are membership equational theories, whereas system 
modules are very general rewrite theories whose rules can have equations, mem- 
berships, and rewrites in their conditions, and where some operator arguments 
can be frozen to block undesired rewrites (see Section 2). Furthermore, Full 

’’’ Research supported by DARPA through Air Force Research Laboratory Contract 
F30602-02-C-0130, ONR Grant N00014-02-1-0715, NSF grants CCR-9900326, CCR- 
0234603 and CCR-0234524, and by CICYT projects TIC 2000-070 1-C02-01 and 
TIC 2001-2705-C03-02. 



R. Nieuwenhuis (Ed.): RTA 2003, LNCS 2706, pp. 76-87, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 




The Maude 2.0 System 



77 



Maude 2.0 supports parameterized modules, theories, and views, and object- 
oriented modules. Besides supporting equational simplification, Maude 2.0 sup- 
ports several fair rewriting strategies as well as breadth- first search. Reflective 
capabilities are substantially extended in a new META-LEVEL module. There are 
also efficient predefined implementations of useful arithmetic and string data 
types. Since rewrite theories are ideally suited for specifying concurrent systems, 
Maude 2.0 supports efficient explicit-state model checking of linear temporal 
logic (LTL) properties satisfied by finite-state rewrite theories. The efficiency of 
rewriting modulo axioms has also been increased thanks to some novel imple- 
mentation techniques. Finally, using reflection an environment of formal tools 
for Maude 2.0, extending earlier tools, is currently under development. 

The structure of this document is as follows. Section 2 discusses the semantics 
of Maude 2.0. Section 3 presents some of the new features in this release. Section 4 
is dedicated to the implementation and performance of the system. Section 5 
comments on Maude’s formal tool environment. Finally, Section 6 draws some 
concluding remarks. 



2 Generalized Logical and Operational Semantics 

The close contact with many specification and programming applications has 
served as a good stimulus for a substantial increase in expressive power of the 
rewriting logic formalism in general, and of its Maude realization in particular. 
Specifically, Maude 2.0 supports rewriting logic computation generalized along 
three key dimensions. A first dimension concerns the generality of the underlying 
equational logic. Since a rewrite theory is essentially a triple TZ = (A, E, R), with 
(A, E) an equational theory, and R a set of labeled rewrite rules that are applied 
modulo the equations E, the more general the underlying equational logic, the 
more expressive the rewriting logic. Maude 2.0’s underlying equational logic 
is membership equational logic [22], a very expressive many-kinded Horn logic 
whose atomic formulas are equations t = t' and memberships t : s, stating that 
a term t has sort s. A second dimension concerns the generality of conditions in 
conditional rewrite rules that can be of the form, 

(VA) if AieiP^ = <7* A A^eJ ^ ^ AieL^i ^ 

where r is the rule label, all terms are A-terms, and the rule can be made 
conditional to other equations, memberships, and rewrites being satisfied. A 
third dimension involves support for declaring certain operator arguments as 
frozen, thus blocking rewriting under them. Therefore, a Maude (system) module 
is a generalized rewrite theory, defined as a 4-tuple TZ = {E, E, (j>, R), where 
{E, E) is a membership equational theory, i? is a set of labeled conditional rewrite 
rules of the general form above, and (/) is a function assigning to each operator 
f : ki ... kn ^ k in E the subset </>(/) C {!,..., n} of its frozen arguments. 
In Maude, membership equational theories define the equational sublanguage of 
functional modules. 
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Unfrozen arguments (those not frozen) are for rewrite theories the analog 
of the arguments specified in evaluation strategies [10] used for equational the- 
ories in OBJ, CafeOBJ, and Maude to improve efficiency and/or to guarantee 
the termination of computations, replacing unrestricted equational rewriting by 
context-sensitive rewriting [19]. Thus, in Maude 2.0 rewriting with both equa- 
tions E and rules R can be made context-sensitive. The mathematical semantics 
of generalized rewrite theories, and thus of modules in Maude 2.0, has been re- 
cently developed by Bruni and Meseguer [2] , who have given generalized rules of 
deduction, and have shown the existence of initial and free models and the com- 
pleteness of rewriting logic deduction relative to the generalized model theory. 

There is yet another way in which Maude 2.0 supports rewriting logic and its 
underlying membership equational logic in its fullest possible generality, namely 
by the way executability issues are dealt with in the language. The point, of 
course, is that efficient and complete computation by rewriting is not possible 
for arbitrary equational theories, unless they satisfy good properties such as con- 
fluence, sort-decreasingness, and perhaps termination. Similarly, to be efficiently 
executable, a generalized rewrite theory TZ = {E, E, (f>, R) should first of all have 
(E,E) satisfying the above executability requirements, and should furthermore 
be coherent [27] . Executability is of course what we want for programming; but 
it is too restrictive for specification, transformation, and reasoning purposes, 
even when programming is the ultimate goal. For this reason, in Full Maude 
(as in OBJ) there is a linguistic distinction between modules, that are typi- 
cally used for programming as executable theories, and theories, which need not 
be executable and are used for specification purposes (for example, to specify 
the semantic requirements of interfaces in parameterized modules). Maude 2.0 
supports specification of arbitrary membership equational logic theories and of 
arbitrary rewrite theories, while at the same time keeping a sharp distinction be- 
tween executable and non-executable statements (i.e., equations, memberships, 
or rules). This distinction is achieved by means of the nonexec attribute, with 
which such statements can be labeled. In fact, in Maude 2.0 both modules and 
theories can be either: (1) fully executable, or (2) partially executable (some 
statements are nonexec), or (3) non-executable (all statements are nonexec). 
Fully executable equational and rewrite theories are called admissible, and sat- 
isfy the above-mentioned executability requirements; however, in keeping with 
the desired generality of conditions in equations and rules, extra variables can 
appear in conditions, provided that they are only introduced by patterns in 
matching equations or in the righthand sides of rewrites (see Section 3.2). Nev- 
ertheless, executability is a relative matter. In Maude 2.0 all statements are 
executable at the metalevel, using reflection and the META-LEVEL module (see 
Section 3.5) but non-executable ones will need strategies to guide their met- 
alevel execution. This support for a disciplined coexistence of executable and 
non-executable statements allows not only a seamless integration of specifica- 
tion and code, but also a seamless integration of Maude with its formal tools 
(see Section 5). 
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3 Some New Features in Maude 2.0 

Maude 2.0 presents a number of new features with respect to previous releases. 
In the following sections we shall discuss some of the most relevant ones, namely, 
the possibility of accessing the kinds, the new form of conditions in conditional 
statements, a search facility for doing breadth first search with cycle detection, 
the new built-in modules, the new possibilities for parameterized programming, 
the new metalevel, and the LTL model checker. Other features not discussed 
here include: a rule and position fair strategy, on-the-fly declaration of vari- 
ables, statement attributes (all statements can be given labels for improving 
tracing, and we can attach an arbitrary string of metadata to a statement for 
metaprocessing), the possibility of using efficiently huge towers of unary opera- 
tor symbols, facilities for improving pretty-printing of terms and for identifying 
possible incompleteness of specifications, new profiling and debugging features, 
and so on. 



3.1 Access to Kinds 

A membership equational signature S has a set K of kinds, and for each k G K 
a set Sk of sorts of that kind. Maude does automatic kind inference from the 
sorts declared by the user and their subsort relations, but kinds are not explicitly 
named; instead, a kind k is identified with the set Sk of its sorts, interpreted as 
an equivalence class modulo the equivalence relation generated by the subsort 
ordering. Therefore, for any s G Sk, [s] denotes the kind k = Sk, understood as 
the connected component of the poset of sorts to which s belongs. 

Let us assume a graph specification with sorts Node and Edge and opera- 
tions source and target giving, respectively, the source and target nodes of 
each edge, as well as specific edge and node constants. Then, we extend such 
a specification by declaring a sort Path of paths over the graph, together with 
a partial concatenation operator, and appropriate source and target functions 
over paths as follows, where the subsort declaration states that edges are paths 
of length one. 

subsort Edge < Path . 

op _ ; _ : [Path] [Path] -> [Path] . 

ops source target : Path -> Node . 

This illustrates the idea that in Maude sorts are user-defined, while kinds are 
implicitly associated with connected components of sorts and are considered as 
“error supersorts.” The Maude system also lifts automatically to kinds all the 
operators involving sorts of the corresponding connected components to form 
error expressions. Such error expressions allow us to give expressions to be eval- 
uated the benefit of the doubt: if, when they are simplified, they have a legal 
sort, then they are ok; otherwise, the fully simplified error expression is returned 
as an error message. Rewriting can occur at the kind level, which may be useful 
for error recovery. 
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Given variables E and P of sorts Edge and Path, respectively, we may express 
the condition defining path concatenation with the conditional membership ax- 
iom 



cmb E ; P : Path if target (E) = source (P) . 

stating that an edge concatenated with a path is also a path when the target 
node of the edge coincides with the source node of the path. This has the effect 
of defining path concatenation as a partial function on paths, although it is total 
on the kind [Path] of “confused paths.” 

3.2 More Expressive Conditions 

in Conditional Statements and Searching 

Equational conditions in conditional equations and memberships are made up 
from individual equations t = t' and memberships t : s using a binary con- 
junction connective /\ which is assumed associative. Furthermore, equations in 
conditions have two variants, namely, ordinary equations t = t ’ , and matching 
equations t := t’. For example, assuming a variable E of sort Edge, and vari- 
ables P and S of sort Path, the source function over paths may be defined by 
means of matching equations in conditions as follows: 

ceq source (P) = source (E) if E ; S := P . 

Matching equations are mathematically interpreted as ordinary equations; how- 
ever, operationally they are treated in a special way and they must satisfy special 
requirements. Note that the variables E and S in the above matching equation 
do not appear in the lefthand sides of the corresponding conditional equation. 
In the execution of this equation, these new variables become instantiated by 
matching the term E ; S against the subject term bound to the variable P. In 
order for this match to decide the equality with the ground term bound to P, 
the term E ; S must be a pattern [6] . 

The satisfaction of the conditions is attempted sequentially from left to right. 
Since matching takes place modulo equational attributes, in general many dif- 
ferent matches may have to be tried until a match of all the variables satisfying 
the condition is found. All conditional equations in a functional module have to 
satisfy certain admissibility requirements, ensuring that all the extra variables 
will become instantiated by matching (see [6] for details). 

Conditional rewrite rules can take the most general possible form in the vari- 
ant of rewriting logic built on top of membership equational logic, as explained 
in Section 2, with no restriction on which new variables may appear in the right- 
hand side or the condition. That is, conditions in rules are also formed by an 
associative conjunction connective /\, but they generalize conditions in equa- 
tions and memberships by allowing also rewrite expressions. Of course, in that 
full generality the execution of a rewrite theory specified as a system module 
will require strategies that control at the metalevel the instantiation of the extra 
variables in the condition and in the righthand side [3] . However, a quite general 
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class of system modules, called admissible modules, are executable by Maude’s 
interpreter using its built-in strategies. A system module M is called admissible 
if its underlying equational theory is confluent, sort decreasing and terminating, 
its rules are coherent with respect to its equations, and each of its rewrite rules 
satisfies certain requirements ensuring that all the extra variables will become 
instantiated [6]. 

Operationally, we try to satisfy a rewrite condition u ^ u' hy reducing the 
instance u(u) to canonical form v with respect to the equations, and then trying 
to find a rewrite proof v ^ w with w in canonical form with respect to the 
equations and such that w is a substitution instance of u' . When executing 
a conditional rule in an admissible system module, the satisfaction of all its 
conditions is attempted sequentially from left to right; but notice that now, 
besides the fact that many matches for the equational conditions may be possible 
due to the presence of equational axioms, we also have to deal with the fact that 
solving rewrite conditions requires search, including searching for new solutions 
when previous ones fail to satisfy subsequent conditions. 

Searching is also available to the user through the search, command, which 
looks for all the rewrites of a given term that match a given pattern satisfying 
some condition. When a search command terminates, either because there was 
a finite state graph, or because a limit to the number of solutions was given, 
the state graph is retained in memory. It is then possible to obtain the whole 
generated search graph and to interrogate the state graph for the path from the 
start term to any reachable state. 

3.3 Built-in Funtional Modules 

Maude 2.0 includes some built-in functional modules providing convenient high- 
performance functionality within the Maude system. In particular, the built-in 
modules of integers, natural, rational and floating-point numbers, quoted iden- 
tifiers, and strings provide a minimal set of efficient operations for Maude pro- 
grammers. 

The built-in natural numbers allow Maude programmers to deal with natural 
numbers with a C-like performance for simple arithmetic operations on them (us- 
ing GNU GMP) . Built-in natural numbers bridge the gap between clean Peano- 
like axiomatizations of numbers with an explicit successor function, and rather 
more efficient binary representations of unbounded natural number arithmetic. 
This built-in module allows programmers to manipulate numbers as if they were 
represented with explicit successor notation, and to reflect those numbers up to 
the metalevel. Integers are constructed from natural numbers using the unary 
minus operator. Similarly, the rational numbers are constructed from natural 
numbers using a division operator. The module of floating-point numbers allows 
Maude users access to the IEEE-754 double precision floating-point arithmetic 
when this is supported by the underlying hardware platform. Floats are not 
algebraic term structures; they are treated as a large set of constants. 

Maude’s built-in strings are based on the SGI rope package which has been 
optimized for functional programming, where copying with modification is sup- 
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ported efficiently, while arbitrary in-place updates are not. The Maude string 
package is compatible with the QID built-in module [6] of quoted identifiers, and 
interoperates with the Maude 2.0 scheme for metarepresenting user constants. 
A number of conversion functions is also provided. 

3.4 Parameterized Modules and Theories 

Full Maude is an extension of Maude written in Maude itself that supports 
an algebra of parameterized modules, views, and module expressions in the 
Clear/OBJ style as well as object-oriented modules with convenient syntax for 
object-oriented applications. We distinguish three key entities: modules, which 
are theories with an initial or free extension semantics; theories, with a loose 
semantics, that can be used to specify the parameters of modules and to state 
formal assertions; and view s, which are theory interpretations used to instan- 
tiate parameter theories, refine specifications, and assert formal properties. In 
Maude 2.0, by means of the Full Maude 2.0 module algebra, modules, theories, 
and views can all be parameterized. 

By using parameterized theories and views we can instantiate parameterized 
theories and modules in an incremental way, gaining in flexibility. The use of 
parameterized views allow us, for example, to define a view Set(X : : TRIV) 
from the trivial theory TRIV with only one sort Elt to the parameterized module 
SET(X : : TRIV) mapping Elt to the sort Set(X). With this kind of views we 
keep the parameter part of the target module still as a parameter. For example, 
given the view Nat from TRIV to NAT and the module LIST(X : : TRIV) of lists, 
we can have the module LIST (Set (Nat) ) of lists of sets of natural numbers, or, 
given a module STACK (X : : TRIV) of stacks and a view Bool from TRIV to the 
built-in module BOOL, stacks of sets of booleans with STACK (Set (Bool) ) . 

3.5 Reflection and the META-LEVEL Module 

Informally, a reflective logic is a logic in which important aspects of its metathe- 
ory can be represented at the object level in a consistent way, so that the object- 
level representation correctly simulates the relevant metatheoretic aspects. In 
other words, a reflective logic is a logic which can be faithfully represented in 
itself. 

Maude’s language design and implementation make systematic use of the 
fact that rewriting logic is reflective [8]. In Maude, key functionality of a met- 
alevel theory with several metalevel functions has been efficiently implemented 
in its functional module META-LEVEL. Maude 2.0 includes improvements in the 
metarepresentations of terms and modules, and in some of the functions already 
available in Maude 1.0. Moreover, Maude 2.0 also provides some new metalevel 
functions. Among others, META-LEVEL includes the following functions: (1) the 
process of reducing a term to normal form is reified by a function metaReduce; (2) 
the process of applying a rule to a subject term is reified by functions metaApply 
and metaXapply; (3) the process of rewriting a term is reified by functions 
metaRewrite and metaFrewrite, which use, respectively, the top-down rule fair 
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and position fair default strategies; (4) the process of matching a pattern t o a 
subject term is reified by functions metaMatch and metaXmatch; (5) a function 
metaSearch reifies the process of searching for a particular pattern term; and 
(6) parsing and pretty printing of a term, as well as key sort operations, are also 
reified by corresponding metalevel functions. There are also new ascent functions 
upMbs, upEqs, and upRls for obtaining the metarepresentation of membership 
axioms, equations, and rules of a given module in the module database. 



3.6 The Maude LTL Model Checker 

A model checker typically supports two different levels of specification: (1) a 
system specification level, in which the concurrent system to be analyzed is 
formalized; and (2) a property specification level, in which the properties to 
be model checked — for example, temporal logic formulas — are specified. The 
Maude LTL model checker has been designed with the goal of combining the 
very expressive and general system specification capabilities of Maude with an 
LTL model checking engine that benefits from some of the most recent advances 
in on-the-fly explicit-state model checking techniques. 

A Maude module specifies a rewrite theory TZ = (A, A, <j), R). Fixing a distin- 
guished sort State, the initial model Tj?, of TZ has an underlying Kripke structure 
IC{TZ, State) given by the total binary relation extending its one-step sequen- 
tial rewrites. To the initial algebra of states we can likewise associate 

equationally-defined computable state predicates as atomic predicates for such 
a Kripke structure. In this way we obtain a language of LTL properties of the 
rewrite theory TZ. 

Maude 2.0 supports on-the-fly LTL model checking for initial states [t] of 
an admissible rewrite theory TZ = {S,E,(j),R) such that the set {[m] \ 

TZV~ [t] ^ [m]} of all states reachable from [t] is finite. The syntax of the state 
predicates we wish to use is defined by means of constants and operators of sort 
Prop, a subsort of Formula (i.e., LTL formulas), and their semantics is defined by 
means of equations involving the operator _ I =_ : State Formula -> Result. 
These sorts and operator are declared in the MODEL-CHECKER module (and its 
submodules). Given an initial state, of sort State, we can model check any LTL 
formula involving such predicates with two possible results: true if the property 
holds, or a counterexample expressed as a finite path followed by a cycle if it 
does not. 

Maude offers also a LTL satisfiability decision procedure in its predefined 
functional module SAT-SDLVER, which can also be used as a tautology checker. 



4 Implementation and Performance 

Maude 2.0, like Maude 1.0, is implemented as a hierarchy of C-F- 1- class libraries. 
There are a large number of incremental improvements, but we highlight the 
major ones. 
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The Core Rewrite Engine. The most radical change from Maude 1.0 is the 
use of a novel term representation based on persistent data structures [9] for 
if-rewriting [11]. In some cases, new rewriting algorithms based on this repre- 
sentation can dramatically improve the rewriting speed for large terms. Table 1 
compares the performance of Maude with and without this representation for 
the example in Appendix A on a 2.8GHz, 2GByte Intel Xeon. The example con- 
sists in a specification MAP for a map data type together with a test program 
MAP-TEST that uses it to compute the Fibonacci function modulo 100. 

Another improvement in the core rewrite engine is left-to-right sharing, in 
which subterms that occur in a lefthand side pattern and are repeated in the 
righthand side can be shared, so that when an instance of the righthand side is 
constructed, the subterm matched by the lefthand side subterm can be reused. 
Other improvements include a new discrimination net algorithm for the free 
theory that takes sort information into account, and the removal of a number of 
bottlenecks in the full AG/AGU matching algorithm. 

The Metalevel. Apart from the new metaterm representation and new metalevel 
functions, the big change from Maude 1.0 is improved caching to cut the cost 
of changing levels in common cases. As well as caching metamodules on a least 
recently used basis, calls to the metalevel functions that take a numeric argument 
specifying a solution number — such as metaApply, metaXapply, metaSearch, 
etc. — are also cached, along with the rewriting state. So a subsequent call to 
find the next solution can compute it incrementally starting from the old state. 

The Model Checker. On-the-fly LTL model checking is performed by construct- 
ing a Biichi automaton from the negation of the property formula and lazily 
searching the synchronous product of the Biichi automaton and the system state 
transition diagram for a reachable accepting cycle. The negated LTL formula is 
converted to negative normal form and heuristically simplified by a set of Maude 
equations, mostly derived from the simplification rules in [14,23]. Rather than 
the classical tableaux construction [17] , we use a newer technique proposed in [16] 
based on very weak alternating automata to which we add some strongly con- 
nected component optimizations adapted from those in [23]. Throughout the 
computation, the pure propositional subformulas labeling the arcs of the various 
automata are stored as BDDs to allow computation of conjunctions, elimination 
of contradictions, and combination of parallel arcs by disjunction. We use the 



Table 1. Performance in both seconds and rewrites/second with and without the 
persistent representation for ACU terms. 
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1000 


5999 


0.25 


23996 


0.02 


299950 


10000 


59999 


55.72 


1076 


0.21 


285709 


100000 


599999 


5676.44 


105 


2.82 


212765 
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double-depth first method of [18] to lazily generate and search the synchronous 
product. 

5 Formal Tools 

In addition to the formal methods directly supported by Maude, one can use 
Maude as a formal metatool to build other formal tools supporting proofs of cor- 
rectness of highly critical properties. Reflection and the flexible uses of rewriting 
logic as a logical framework are the key features making it easy to develop such 
formal tools and their user interfaces. The paper [7] gives a detailed account of 
a wide range of formal tools that have been defined in Maude by different au- 
thors. Among others, we may mention: the inductive theorem prover ITP tool, 
the coherence checker and the coherence completion tools, the Church-Rosser 
Checker tool, the termination checker and the Knuth-Bendix completion tools, 
the Real-Time Maude tool, etc. There are extensions of these tools currently 
under development, whose implementations will greatly benefit from the new 
features of Maude 2.0. 

6 Concluding Remarks 

The advances in Maude 2.0 have been used to good advantage in several recent 
applications. The Pathway Logic project uses Maude to develop and analyze bio- 
logical networks [12,13]. Search and model-checking are used to explore possible 
execution paths, and the new descent functions are used to analyze and visualize 
model-checking results. The ascent functions are used to transform the Maude 
model into a Petri net model for further analysis of possible execution paths. 
Work on CCS [26] and the Pi-Calculus [25] provides additional examples of the 
usefulness of new features of Maude 2.0, especially frozen arguments, enriched 
rule conditions, search, and metaSearch. Search, model-checking, and rewrites 
in rule conditions have been used in a project to model and analyze a proposed 
secure architecture for accessing remote services in J ava [24] . Work is in progress 
by two of the authors and M. Palomino using the metalevel features and formal 
tools to define and implement abstractions that convert infinite state models 
into finite state abstractions [21]. 

Rewriting logic and its realization in Maude allow for very natural model- 
ing of distributed systems. The next major development of Maude will be to 
provide an extension that supports executable models that interact with their 
environment. This will build on the support for concurrent objects and object 
rewriting in core Maude 2.0 and allow communication with external objects us- 
ing asynchronous message passing. This will provide access to internet sockets, 
file systems, window systems, and so on. 
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A Map Benchmark Example 

fmod MAP is 

sorts Domain Range Pair Map . 
subsort Pair < Map . 
op _ I ->_ : Domain Range -> Pair . 
op empty : -> Map . 

op _)_ : Map Map -> Map [assoc comm id: empty] . 
op undefined : -> [Range] . 
var D : Domain . vars R R’ : Range . var M : Map . 
op _ [_] : Map Domain -> [Range] . 
eq (M, D |-> R) [D] = R . 
eq M[D] = undefined [owise] . 
op insert : Domain Range Map -> Map . 
eq insertCD, R, (M, D |-> R’)) = (M, D I -> R) . 
eq insertCD, R, M) = (M, D |-> R) [owise] . 
endfm 

fmod MAP-TEST is pr MAP . pr NAT . 
subsort Nat < Domain Reuige . 
var N : Nat . 
op f : Nat -> Map . 
eq f(0) = insert (0, 1, empty) . 
eq f(l) = insertCl, 1, f(0)) . 
eq f (s s N) 

= insertCs s N, ((f(s N) [s N] ) + (f(s N)[N])) rem 100, f(s N)) . 
endfm 
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Abstract. This paper presents an abstract framework and multiple 
diagram-based methods for proving meaning preservation, i.e., that all 
rewrite steps of a rewriting system preserve the meaning given by an 
operational semantics based on a rewriting strategy. While previous 
rewriting-based methods have generally needed the treated rewriting 
system as a whole to have such properties as, e.g., eonfluence, standard- 
ization, and/or termination or boundedness of developments, our meth- 
ods can work when all of these conditions fail, and thus can handle 
more rewriting systems. We isolate the new lift/project with termina- 
tion diagram as the key proof idea and show that previous rewriting- 
based methods (Plotkin’s method based on confluence and standardiza- 
tion and Machkasova and Turbak’s method based on distinct lift and 
project properties) implicitly use this diagram. Furthermore, our frame- 
work and proof methods help reduce the proof burden substantially by, 
e.g., supporting separate treatment of partitions of the rewrite steps, 
needing only elementary diagrams for rewrite step interactions, exclud- 
ing many rewrite step interactions from consideration, needing weaker 
termination properties, and providing generic support for using develop- 
ments in combination with any method. 



1 Discussion 

1.1 Background and Motivation 

A programming language is defined as a set of programs and a way to evaluate 
(or “execute”) the programs. It is increasingly popular to define evaluation via 
program rewriting [25, 9, 10, 11, 3, 19, 12, 26]. In this approach, evaluation 
rewrite rules are repeatedly applied at particular program positions which are 
typically specified using evaluation contexts [9]. 

Other kinds of program rewriting than evaluation are also desirable. Potential 
uses of rewriting-based program transformations include optimizing compilers, 
partial evaluators, and program simplifiers. These transformations may use the 
already existing evaluation rules in arbitrary contexts or use additional rewrite 
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EIA 9806745, EPSRC grants GR/L 36963 and GR/R 41545/01, and Sun Microsys- 
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rules. Some transformations may involve global reasoning about the entire pro- 
gram, but many are local and a good match for rewriting-based techniques. 

It is important to know when program transformations preserve a program’s 
meaning as given by evaluation. There are many non-rewriting based approaches, 
such as denotational semantics (models), logical relations, applicative bisimula- 
tion and coinduction, etc., but they will not be discussed here because this paper 
focuses on rewriting-based techniques. Plotkin [25] first devised a rewriting-based 
method to prove meaning preservation for the call-by-name and call-by-value A- 
calculus using confluence and standardization. At the same time, Plotkin proved 
that evaluation via rewriting was equivalent to evaluation via abstract machine. 
Subsequently, this approach has been applied to many systems, including sys- 
tems with imperative features such as assignments and continuations (examples 
include [10, 11, 21, 3, 19, 12, 26, 17]). 

Warning 1.1 (Not Quite Same as Observational Equivalence) What we 
call meaning preservation is related to observational equivalence (sometimes 
called observational soundness [18], operational equivalence, consistency [25], 
etc.), but is only the same for contextually closed rewriting systems. In this pa- 
per, terms have the same meaning iff evaluating them yields the same result 
(divergence or the same halted state). Terms t\ and ^2 are observationally equiv- 
alent, written t\ ~ t 2 , iff C[ti] and C[t 2 ] have the same meaning for every context 
C where C[t] places t in the hole of the context C. Proving a rewriting relation R 
to be meaning preserving implies that i? C ~ only when R is contextually closed; 
see corollary 7.3 for an example. This paper presents an abstract (syntax-free) 
framework which does not have any features to represent notions like contexts, 
so we do not discuss observational equivalence except for specific examples. □ 

1.2 Summary of Contributions 

The existing rewriting-based tools for proving meaning preservation are difficult 
to use and sometimes completely inapplicable. To address this problem, this 
paper presents an abstract framework and multiple diagram-based methods for 
proving meaning preservation. The new knowledge presented here improves on 
what is already known as follows. 

1. Our methods can be used for rewriting systems that as a whole fail to have 
confluence, standardization, and/or termination or boundedness of develop- 
ments. While some of our methods ask for confluence or standardization-like 
properties, they do so only for subsets of all rewrite steps. 

2. We isolate the new lift/project with termination diagram (LPT in defini- 
tion 4.1) and show that it is the key proof idea for previous methods for 
proving meaning preservation (Plotkin’s method based on confluence and 
standardization and Machkasova and Turbak’s method based on lift and 
project [17]). We show that the confluence & standardization method is in- 
comparable in proving power with the lift & project method. We present new 
LPT-based methods that can handle systems that previous methods can not 
such as systems without standardization. 
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3. All of the proof methods dealt with in this paper (including the earlier meth- 
ods of Plotkin and Machkasova & Turbak) are presented abstractly (free 
of syntax). Because our methods are abstract, there are no restrictions on 
the kinds of rewrite rules used. Rewrite rules may be non-left-linear, non- 
orthogonal (overlapping), non-first-order, etc. Also, our approach does not 
need a notion of closed programs as a subset of terms. 

4. All our methods support partitioning the rewrite steps into subsets treated 
separately with different methods. These subsets need only be closed under 
(an informal and only intuitive notion of) “residuals with respect to evaluation 
steps”. This partitioning also makes proving termination properties easier. 

5. Our framework provides generic support for using developments (i.e., con- 
tracting only preexisting marked redexes) together with any method, so each 
method only needs to work for marked rewrite steps. This makes proving ter- 
mination properties easier. No notion of residuals is needed, which is helpful 
for systems with highly overlapping rules where defining residuals is hard. 

6. In addition to a number of high-level diagram-based methods for proving 
meaning preservation, we also present low-level methods that are easier to use 
for people who are not researchers in rewriting. We give as many as possible of 
the details needed for the non-specialist to use and adapt the proof methods. 
These low-level methods use simple termination properties and diagrams. 

(a) Termination properties are only needed for ordinary rewriting, not for 
rewriting of rewrite step sequences (perhaps this should be called meta- 
rewriting?) as in some abstract standardization methods [20]. The differ- 
ent termination properties that each method requires are simple and easy 
for the non-specialist to understand, ranging over boundedness (Bnd) and 
(weak) normalization (Nrm) and a bound on the number of evaluation steps 
in any rewrite sequence (BE in definition 5.1). 

(b) For analyzing rewrite step interactions, each method needs only the com- 
pletion of elementary diagrams, i.e., diagrams where the only given edges 
are two adjacent single rewrite steps. In contrast, some abstract standard- 
ization methods require completing cubes [13, 20]. The method choice can 
depend on which elementary diagrams are completable. All of our methods 
exclude many rewrite step interactions from consideration. 

7. To help rewriting researchers, as much as possible we identify intermediate 
diagrams to make it easier for new diagrams to be added as needed. 

8. Our methods use only the simplest notion of standardization, that a rewrite 
sequence ti — » t 2 can be rearranged into a sequence t\ ^ ts ^ O where 
E and N indicate respectively evaluation and non-evaluation steps. Standard- 
ization in the literature is a rich and interesting notion [20], but other stan- 
dardization definitions always imply our definition and the extra details are 
not useful here, so they are omitted. 



Due to tight space limits, most proofs are omitted and also some proofs omit 
many details, but a long version of this paper with full proof details is available 
from the first author’s home page. 
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2 Mathematical Definitions 

Let S' W S" denote S U S' if S fl S' = 0 and otherwise be undefined. In a proof, 
“IH” means “by the induction hypothesis” and “w/o.l.o.g.” means “without loss 
of generality” . 

Let R range over binary relations. Let and be alternate notations for 

R which are usable infix, i.e., both a b and a ^ b stand for R{a, b) which in 
turn stands for (a, b) € R. 

Define the following operators on binary relations. Let i?; R' be the com- 
position of R with R' (i.e., { (a, b) | 3c. R(a, c)and R'(c, b) }). Let be 

equality at the type intended for R. Let = (i?*; R) when 0 < i. Let 

Let = R^^ = Ui<fc Let = R^ n R^>^ 

(useful in diagrams when j is existentially quantified). Let = R* = R-^ 
(the transitive, reflexive closure). Let = R~^ be the inverse of R (i.e., 
{ (a, 6) I i?(6, a) }). Let = (i?“^)-°. Let = {RD R~^) (the symmetric 

closure). When R = R~^ (i.e., R is symmetric), let — = R. Let < -- > = (e^)^. 
Let = (e^)^°. 

Let an entity a be a, R-normal form, written is-nf(i?, a), iff there does not 
exist some entity b such that a ^ b. Let an entity a have a i?-normal form, 
written has-nf (i?, a), iff there exists some b such that a b and is-nf (i?, b). Let 
be the relation such that a 5 iff a b and is-nf(i?, b). A relation R is 
bounded, written Bnd(i?), iff for every entity a there is some k > 0 such that there 
does not exist an entity b such that R^{a, b). A relation R is terminating (a.k.a. 
strongly normalizing) , written Trm(i?), iff there does not exist any total function 
/ with as domain the natural numbers such that R{f{i), f{i + 1)) for all z > 0. 
A relation R is (weakly) normalizing, written Nrm(i?), iff for every entity a there 
is some entity b such that a i, Note that Bnd(i?) ^ Trm(i?) ^ Nrm(i?). 

Diagrams make statements about relations where solid and dotted edges 
indicate quantification. Metavariables already mentioned outside the diagram 
are unquantified. Other metavariables (e.g., for node names or used in edge 
labels) are universally quantified if attached to a solid edge and existentially 
quantified if attached only to dotted edges. As an example, in a context where 
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i?i and i ?2 have already been given, the following equivalence holds: 

-^b 



R2 



Ri ,fc 



R, ^ Va, b, c, k. {a bAa^c)^3d.c dAb^d 

In proofs, the reason for each diagram polygon will usually be written inside it. 



Ri,<k » 

>d 



3 Abstract Evaluation Systems 

An abstract evaluation system (AES) is a tuple 

(T, §, K, endpoints, E, result) 

satisfying the conditions given below by axioms 3.3 and 3.4 and the immediately 
following conditions. The carriers of an AES are the sets T, §, and R. The 
function endpoints maps S to T x T. The set E is a subset of S. The function 
result maps T to M. Let t range over T, let s range over §, let r range over M, 
and let S range over subsets of §. 

The intended meaning is as follows. T should be a set of terms. S should be a 
set of rewrite steps. K should be a set of evaluation results which by axiom 3.4(1) 
will most likely contain the symbol diverges and one or more other members, 
typically symbols such as halt, error, etc. The halt case might be subdivided into 
possible constant values of final results. If endpoints(s) = (^ 1 ,^ 2 ), this should 
mean that step s rewrites term ti to term t 2 ■ The members of E are the rewrite 
steps used for evaluation. Let N = §\E (where “N” stands for “non-evaluation”). 
If result(t) = r, this should mean that r is the observable result of evaluating 
term t, where diverges is reserved by axiom 3.4(1) for non-halting evaluations. 

Convention 3.1 In this paper, wherever no specific AES is being considered, 
statements are about every possible AES. □ 

Let rewriting notation be defined as follows. Given a rewrite step set S, let 
LiSj be the binary relation { (t, t') | 3s G 5. endpoints(s) = (t, t') }. Thus, t t' iff 
there exists s G S such that endpoints(s) = {t,t'). When a rewrite step set S is 
used in a context requiring a binary relation on T, then let S implicitly stand 
for |iSj. Thus, as examples, t t' stands for t t' and an 5-normal form is 
simply a ^rnormal form. When used in a position requiring a subset of § or a 
binary relation on T, let s stand for {s} and let S,S' stand for S C\ S' . Thus, 

as an example, t t' stands for t t' . When a binary relation on T 

is required and none is supplied, then let the relation ,Sj be implicitly supplied. 
Thus, as examples, t — > t' stands for t ^ t' and t t' stands for t t' . 

Definition 3.2 (Rewrite Step Set Properties). Define the following rewrite 
step sets and properties of rewrite step sets: 
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Standardization: 

Std{S,S') 



E,S' \ N,5' 

ts 



Confluence: 

Conf(iS) 



ti** — - — M 2 
S '-i, kt ’5 

h 



Local Confluence: 
LConf(5) 

Subcommutativity: 
SubComm(iS, i,j) 






t2 ^^3 



Meaning Preservation: 

f 1 ..fes 

s G M P s f 

t2 " res 



'^r 



tr 

S,i 

t2 



S,j 

S,<J 



*h 

i S,<i 

>^4 



LetStd{S) abbreviate Std(5,S). Let SubComm(5) abbreviate SubComm(5, 1, 1). 
Traditionally, only Std(S) = Std(S,S) is considered. The simple definition o/MP 
is reasonable because axiom 3.4(1) (given below) means MP implies preservation 
of the existence of M-normal forms. See also warning 1.1 and convention 3.1 and 
do not confuse MP with observational equivalence. □ 

Axiom 3.3 (Subcommutativity of Evaluation) SubComm(E). □ 



Non-deterministic evaluation is useful for rewriting systems with non-deter- 
ministic syntax, e.g., the system of [17] where the top syntax level is a set with 
unordered components. Often, it will be simpler to make evaluation deterministic 
so that t 2 ti ^3 implies that O = H or even that si = S 2 - 

Axiom 3.3 does not ensure that any strategy for will find E-normal forms 
when they exist. Strengthening axiom 3.3 so that the bottom and right diagram 
edges have the same length would ensure this, but is not needed otherwise. 

Axiom 3.4 (Evaluation Sanity) 

1. “diverges” Means Evaluation Diverges: 
result(t) = diverges ->has-nf(E, t). 

2. Evaluation Steps Preserve Meaning: 

E C MP. 

3. Non- Evaluation Steps Preserve Evaluation Steps: 



N 

1 E , 

t2 ->ti 

Consequently, if t\ t 2 , then is-nf(E,ti) is-nf(E, O)- 

4 . Non- Evaluation Steps on E-Normal Forms Preserve Meaning: 
Ift^t' and is-nf(E,t), then result(t) = result(t'). □ 



When defining an AES for a rewriting system, it is trivial to satisfy ax- 
ioms 3.4(1) and 3.4(2) by using an auxiliary function result^ which maps 
{ 1 1 is-nf (E, t) } to R \ {diverges} and defining result as follows: 



resu 




diverges 

result^(t') 



if ->has-nf(E, t), 



if t 



E,nf 



t'. 
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Indeed, the model of how evaluation should be computed expects to work this 
way. When -iis-nf(E, t), it is expected that computing result(t) involves first 
finding t' such that t t', then computing result(t'), and otherwise diverging 
if no such t' exists. Thus, the value of result(t) is unimportant if ->has-nf (E, t). 
Reserving the value diverges for this case simplifies things. 

Satisfying axioms 3.4(3) and 3.4(4) requires more care in the design of the 
rewriting system and the AES, but is not hard. Anyway, axiom 3.4(3) is a con- 
sequence of the properties WLl and WPl or WLPl from definition 5.1 which 
typically must also be proven. At first glance, the reader might think that ax- 
iom 3.4(3) is simpler than what is needed because in its diagram no relationship 
is required between and however this issue is handled by the LPT dia- 
gram from definition 4.1 and in any case a relationship between and is 

only needed when has-nf(E, ti). The condition of axiom 3.4(3) appears in other 
abstract frameworks as early as [13] and appears in non-abstract form in [25]. 
The first explicit statement of the condition of axiom 3.4(4) that we are aware 
of appears in [16], although the condition is partially present in [3]. 

Lemma 3.5 (Non- Evaluation Steps on Eval-Normal Forms). Ifti <A> t 2 
and is-nf(E,ti), then t\ t 2 - □ 

4 Lift/Project Diagrams for Meaning Preservation 

This section presents properties of rewrite step sets in definition 4.1 and shows 
how to use them to prove meaning preservation, the important connection be- 
tween arbitrary-strategy rewriting and evaluation. When evaluation is defined 
by a subset of the rewrite steps (specified in an AES by the set E), it is necessary 
to show that arbitrary rewriting preserves the evaluation result in order to have 
confidence that the non-evaluation rewrite steps are at all meaningful. Tradition- 
ally, this has been done by proving confluence (Conf) and standardization (Std), 
the preconditions of Plotkin’s approach [25] (presented in lemma 4. 5(1, 2)). 

Needing confluence and standardization is a big weakness, as shown by the 
non-confluent system in [17] and the calculus we mention in section 9 

which has neither confluence nor standardization. In contrast, our new method 
in theorem 4.3 needs only the lift/project with termination (LPT) property. 
By lemma 4.2, LPT can be obtained from the lift (Lift) and project (Proj) 
properties. Because lift and project do not imply confluence (lemma 4.5(4)), 
theorem 4.3 does not need confluence. Furthermore, because LPT implies nei- 
ther lift nor project (lemma 4.2(8,10)) and lift is equivalent to standardization 
(lemma 4.4(1)), theorem 4.3 does not need standardization when lift is not used. 

Theorem 4.3 differs from earlier work of Machkasova and Turbak [17] in 
several important ways. First, it is abstract (syntax-free). Second, it provides 
explicit support for separately proving meaning preservation for different subsets 
of the non-evaluation rewrite steps. This vastly simplifies auxiliary termination 
proofs (e.g., for properties Bnd or BE as used in definition 5.1) and is vital 
when a single method fails to cover all N steps (e.g., section 9). Third, it needs 
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only the weaker LPT property rather than lift and project. This is vital because 
lift is equivalent to standardization so the Machkasova/Turbak method fails for 
systems without standardization (e.g., section 9). 



Definition 4.1 (Lift, Project, and Related Properties). Define the fol- 
lowing rewrite step sets and properties of rewrite step sets: 

Lift: 



Strong Lift: 

SLift(5) 



H,si ^ ^,s 
t2-^ts 



Strong Project: 

SProj(5) ® ® ^N.5 

bi 

Strong Lift/Project: 

SLP(5) n, 5| g |n.5 

t2 ^t4 

Lift/Project when Terminating: 

sgLPT ^ 4 ^ |n 

t2 



s G Lift <t= 
Lift!: 

s G Lift' 4= 

Project: 
s G Proj <t= 

Lift/Project: 
s G LP <4= 



4 E 4" 

t2~^tz 



H 

4 E ^ E 

4 E 

f 3 **l :• 

4 E 

t2 ^^4 



□ 



The Lift and Proj properties given here match the properties by the names 
“Lift” and “Project” in [17], except that there both properties are defined on 
the entire rewriting system rather than on individual rewrite steps and both 
properties specify the step on the left diagram edge to be a N step (the latter 
difference being inessential). Only the weaker Lift' which is symmetrical with Proj 
is actually needed together with Proj to obtain LPT (lemma 4. 2(7, 9)). However, 
Lift' can not replace Lift in the statement of lemma 4.4(1). 

Lemma 4.2 (Relationships between Lift and Project Properties). 

1. E C Lift n Proj. 

2. //SLift(5), then S C Lift. 

3. If SProj(5), then S C Proj. 

I /fSLP(5), then SC LP. 

5. Lift C Lift'. 

6. Lift' C Lift need not be true. 

7. Lift' D Proj C LP. 

8. None of LP C Lift' n Proj, LP C Lift', and LP C Proj need to be true. 

9. LP C LPT. 

10. LPT C LP need not be true. 



□ 
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Theorem 4.3 (Relationships between Lift, Project, and Meaning Pre- 
servation) . 

1. LPT C MP. 

MP C LPT need not he true. □ 



Proof. 



1. Suppose s G LPT. Let ti 1 ^. Suppose neither has-nf(E, tf) nor has-nf(E, tf). 
By axiom 3.4(1), it holds that result(ti) = diverges = result(t2), so s G MP. 
Suppose instead that either has-nf(E, tf) or has-nf(E, tf). Suppose has-nf (E, tf) 
(w/o.l.o.g. because only ti t 2 is used). Then ti t^ for some ts. By 
s G LPT, it holds that t^ <A> ^4 t2 for some t^. Because is-nf(E, ^ 3 ), by 
lemma 3.5 it holds that ts t^. By axiom 3.4(2) and induction on the 
lengths of rewrite sequences, it holds that t\ ts and t2 t^. Thus, 
h At 2 . Thus, sG MP. 

2. Consider this 4-term 3-step AES where all results are the same: 



tl— *t2 

E,«3 

ts H4 



Then MP = S, but MP \ LPT = {sa}- 



□ 



4.1 Comparison with Traditional Approach 

This subsection compares the lift & project method of Machkasova and Tur- 
bak and our LPT method with the traditional confluence & standardization 
method. Plotkin’s traditional approach [25] was separated out and presented 
abstractly by Machkasova [16] in a form similar to the combination of the proofs 
of lemma 4.5(1), lemma 4.2(9), and theorem 4.3(1). We have reformulated the ar- 
gument for the AES framework and modified it to work on subsets of S. Further- 
more, we have factored the argument to show it goes through LP (lemma 4.5(1)) 
and LPT before reaching MP. Thus, it appears that the main previously known 
rewriting-based methods of showing meaning preservation implicitly use the LPT 
diagram. Interestingly, in lemma 4.5(3, 4) it is shown that the confluence & stan- 
dardization method and the lift & project method are incomparable in their 
power; each can address problems that the other can not. Section 5 will develop 
another method (WB\Std in definition 5.1) of proving LPT which can address 
yet more problems, because it does not require standardization. 

The following equivalence of Lift and standardization in lemma 4.4(1) appears 
in [16], although here it has been parameterized on rewrite step sets. 

Lemma 4.4 (Lift Equivalent to Standardization). 

1 . 5 C Lift Zj(f Std(5 U E). (Consequently, Lift = S ijf Std(S) .) 

2. The above statement need not he true with Lift replaced by Lift'. □ 
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Proof. 

1. Std(iS U E) ^ 5 C Lift is immediate. S C Lift Std(5 U E) is proven by 
induction on the length of rewrite sequences. 

2. Consider this 7-term 8-step AES where all results are the same: 



E,S4 

ts Hr 









I H.S5 I 

fg Hr 



Note that Lift' = §, but Lift'\Lift = { 52 }- The desired Std(§) is false, because 
ti — » te but there is no t such that ti ^ t ^ Iq. □ 



Lemma 4.5 (Relationships between Confluence -|- Standardization and 
Lift -|- Project). 

1. If Conf(5 U E) and Std(5 U E), then S C LP. 

2. Consequently, Conf(iSUE) and S C Lift imply S C MP. 

3. If Conf(5 U E) and Std(5 U E), then S C Proj need not be true. 

4 . Conf(Liftn Proj) need not be true. □ 

Proof. 

1. Suppose that Conf(5UE) and (*) Std(5UE) hold. Using the reason (*) as 
indicated, the following diagram proves 5 UE C LP and thus 5 C LP: 

I : ;;;: **l:i **1:. 

Sum 

1-2 ' **l I 



Conf(cSUE) ^ 

S O.® 



(*) 



' 

ii 



n 



2. By lemmas 4.2(9), 4.4, and 4.5(1) and theorem 4.3(1). 

3. Consider this 3-term 5-step AES: 






E,si 






R,S2^e„^N,S3 

Then Conf(N U E) and Std(N U E), but N \ Proj = {52}- 

4. Consider this 3-term 2-step AES where all results are the same: 



«,S2 

h 



H 2 



Then Lift = Proj = S, but -■Conf(S). 



□ 
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5 Elementary Diagrams for Strong Lift/Project 



According to section 4, one can prove rewrite step sets to have the LPT property 
in order to prove meaning preservation. Furthermore, LPT can be obtained via 
stronger properties such as the lift and project properties. However, proving 
these properties can be very difficult. 

To help, this section provides abstract methods for proving strong lift, strong 
project, and/or strong lift/project for particular rewrite step sets. Definition 5.1 
defines that a rewrite step set is well behaved when it satisfies either the WB+Std 
or WB\Std properties. In turn, each of these are conjunctions of a small number 
of specific properties, one termination property and some elementary diagrams, 
i.e., diagrams where the given edges are two adjacent single rewrite steps. The 
WB+Std and WB\Std properties are about rewrite step sets rather than indi- 
vidual steps because it is necessary to simultaneously treat all the steps in a set 
that is closed under (an informal and only intuitive notion of) “residuals with 
respect to evaluation steps”. This section’s main result (theorem 5.4) is that 
a well behaved rewrite step set S has either the strong lift and strong project 
properties or the strong lift /project property. 

Each of WB+Std and WB\Std has particular advantages. The termination 
property of WB+Std requires only a bound on the number of E steps in a rewrite 
sequence (BE), not full termination. When used together with the methods of sec- 
tion 6, this is significantly weaker than the finite developments property needed 
by some other proof methods, because it allows infinite developments (and there 
is no requirement that coinitial developments can be completed to be cofinal) . In 
contrast, WB\Std requires a stronger termination property, but replaces the WLI 
and WPI elementary diagrams with the weaker diagram WLPI. The big advan- 
tage of WLPI is that it does not require standardization. Although WB\Std(5) 
requires local confluence for S, in fact it is sufficient to have only confluence 
(lemmas 5.2(3) and 5.3(3)) and the local confluence requirement is only there so 
that the preconditions of WB\Std(5) are elementary diagrams. 



Definition 5.1 (Well Behaved Rewrite Step Sets). Let N*EN*(5) he the 

relation Define the following rewrite step set properties: 

f^-Steps Do Not Create E,-Steps: 



Bounded 'E-Steps: 

BE(5) 

Weak Lift 1-Step: 

WL1(5,5') ^ 

Weak Lift/Project 1-Step: 

WLP1(5) ^ 



Bnd(N*EN*(5)) 



+ 

f'-Tw o' :* 



^ 

S P.5' 



t2 *t3 



.51 „ T5 

’ 1 E * 

^2 '+3 



NE(5) I 

Weak Project 1-Step: 

WP1(5) ^ N 






ye) 

E,, 



t2 



E 



.5| 

fa ■■-+4 



Standardization to Normal Form: 



ti 



Std-nf(iS) 



»S,nf 



**t2 



E,5,nf 



ts 



«,5,nf 
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Well Behaved with Standardization: 

WB+Std(5) ^ BE(5) AWL1(5,5)AWL1(5,S)AWP1(5) 

Well Behaved without Standardization: 

WB\Std(5) Trm(5)ALConf(5) ANE(5)AWLP1(5) 

Lemma 5.2 (Confluence and Standardization-Like Properties). 

1. IfBE{S) and\Nll{S,S), then Std{S , S) . 

2. // LConf (5) andWm{S), i/ien Conf(5) (Newman’s Lemma). 



3. If Conf(5), Trm(5), and NE(5), then Std-nf(5). □ 

Lemma 5.3 (Strong Lift and Project Properties). 

1. /fWLl(5,S) andStd{S,S), thenSUh(S). 

2. /fWPl(5) andStd{S,S), then SProj{S). 

3. If Conf(5), Trm(5), Std-nf(5), and WLP1(5), then SLP(5). □ 

Theorem 5.4 (Well Behaved Rewrite Step Sets). 

1. /fWB+Std(5), i/ien SLift(iS) and SProj(5). 

2. /fWB\Std(5), thenSLP{S). □ 

Proof. By definition 5.1 and lemmas 5.2 and 5.3. □ 



6 Marked Rewriting and Developments 

Sometimes, a desired termination property (e.g., BE from definition 5.1, Bnd, 
Trm, or Nrm) fails for a step set S generated by some rewrite rule(s), but holds 
for iSnM where M is a set of marked steps. The marks typically force termination 
by forbidding contracting unmarked redexes and ensuring that “created” redexes 
are unmarked. To use this method, the desired rewriting system is embedded 
in a larger marked system with additional marked terms and rewrite steps, so 
proving the larger system correct also proves the desired system correct. 

This section defines conditions on marking and theorem 6.4 proves that when 
these conditions hold, proving LPT for 5 fl M (i.e., the marked fragment of the 
larger marked system) is sufficient to prove LPT for S (i.e., both the marked and 
unmarked steps in the larger system). Thus, when any of this paper’s methods 
for proving meaning preservation work for S fi M, the methods also work for S. 
It is worth observing that the style of proof of theorem 6.4 can be repeated for 
many properties other than LPT, e.g., for Lift (and therefore for standardization). 

This section’s methods are related to developments. A development is a 
rewrite step sequence starting from a term t where each step contracts a re- 
dex which represents work that was already in t and “created” redexes are not 
contracted. Usually, the notions of “work already present” and “created” are 
defined using residuals of redexes across rewrite steps, sometimes defining resid- 
uals using marks. This section’s methods do not need any notion of residual. 
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This is important because there do not seem to be good ways to define residuals 
for many rewriting systems, e.g., those with highly overlapping rewrite rules. 

A mark structure for an AES is a tuple 

(Marks, markOf, noMark, rename) 



satisfying axiom 6.1 below and the following conditions. The set Marks is non- 
empty and does not contain *. The function markOf maps S to Marks U{*}. The 
mark noMark is a member of Marks. The function rename is of type (Marks x 
Marks) T. Let m range over Marks. Let M= { s G § | markOf (s) yf noMark }. 

Let the statement markOccurs(m, t) hold iff there exist s and t' such that t t' 
and markOf(s) = m. 

The intended meaning is as follows. The set Marks should contain marks used 
to track redexes. Each rewrite step s should be marked by the mark markOf (s). 
The special mark noMark means “no mark at all”. The symbol * means “can 
be considered to be any mark because we do not track this kind of rewrite 
step with marks” ; this is a convenience for systems where only some steps have 
marked versions. The operation rename(mi, m 2 )(t) should produce a new term 
t' resulting from renaming all occurrences of the mark mi in t to m 2 . 



Axiom 6.1 (Marking Sanity) 



1. Marked Erasure: 

For S G {E, N}, 



rename(m,m ^ J^rename(m,m ) 



2. E Marked Unerasure: 









rename(m,mM 

J E ^ 
t3->t4 



rename! m 



,m^) 



3 . Erasing Nonexistent Mark: 

If ^markOccurs(m, t), then rename(m, m')(t) = t. 

4-. Marks Not Introduced by Rewriting: 

// ^markOccurs(m, t), m yf noMark, and t — > t' , then -imarkOccurs(m, t'). 

5. Fresh Marks: 

For any termt, there exists a markm yf noMark such that ^markOccurs{m,t) ■ 

□ 



Convention 6.2 In this paper, wherever no specific mark structure is being 
considered, statements are about every possible mark structure. □ 



Definition 6.3 (Rewrite Step Set Property for Marks). 

N Step Can Be Marked: 



NM(5) 



m yf noMark 
A -imarkOccurs(m, tfi) 



rename(m,mb 






t^2 






□ 
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Theorem 6.4 (Lift /Project when Terminating via Marks). // 5 fl M C 

LPT and NM( 5 ), then S C LPT. □ 

Proof. Using axiom 6.1, lemma 4.2(1), and definitions 6.3 and 4.1. □ 

7 Example: The Call-by-Name A-Calculus 

This section gives an example of the use of our AES framework and our diagram- 
based methods for proving meaning preservation. The AES and a mark structure 
will be defined and then the top-level proof strategy will be presented. 

We choose the call-by-name A-calculus with left-most outermost evaluation 
to weak head normal forms because it is a small system, needs the mark structure 
features of section 6, will already be familiar to most readers, and is one of the two 
systems treated by Plotkin’s seminal paper [25] . This system has both confluence 
and standardization. To illustrate the extra power of our proof methods, we 
would have preferred to present an example system which does not have these 
properties, but unfortunately our smallest worked-out example takes many pages 
in LNCS format to even define and does not need the features of section 6. 

Define the AES for the call-by-name A-calculus as follows. First, define the 
AES carrier sets T, S, and M as well as the evaluation step subset E. 
x,y,z £ Variable 

t G Context ::= □ | a; | (Ax t) | (U tg) | (let"x = in U) (n > 1) 

t G T = {t\t has no hole □ } 

E G EvalContext ::= □[(At) 

R G Red ex ::= (let"x = ^2 in ti) | ((Ax ti) ^2) > 1 ) 

s G § = {(t,R)\t has 1 hole □ } 

E ::=(E,R) 

r G K. = {diverges, stuck, halt} 

In the term syntax, (Iet”x = t 2 in U) is used to indicate a marked /3-redex. Terms 
and contexts are identified modulo a-conversion as usual. For contexts, a-convers- 
ion can not rename bound variables whose scope includes a hole. Substitution 
of t for X in t' , written t'[x := t\, is defined as usual. Placing a term or context 
X in the hole of a one-hole context <, written t[X], is defined as usual. 

Now, finish defining the AES by supplying the functions. 

endpoints(t, (let”x = ^2 in ti)) = (t[let"x = ^2 in ti],t[ti[x := ^2]]) 
endpoints(t, (Axfi) ^2) = (^[(Ax ti) t2], ^[^1 [a^ := ^2]]) 

{ diverges if ^has-nf (E, t) 
halt if t \xt' 

stuck if t t' yf Ax t" 

Define an accompanying mark structure as follows. 

Marks = (0, 1,2,.. .} 

noMark = 0 

markOf (t, (let"x = t2 in ti)) = n 
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markOf(i, (Xxti)t 2 ) 
rename(mi, m2) 
(9{x) 



= 0 



where < 



9{\xt) = 

9{tit2) = 

0(let’”^x = <2 in^i) = 
^(let’^^a; = t 2 in ti) = 
[0(let"‘x = i2 inii) = 



Xx9{t) 

9{h)9{t2) 

(let™^x = 9 {t2) in 9{ti)) 
(Xx9(ti)) 9(t2) 

(let™x = 9 (t2) in 9(ti)) 



if m2 0 
if m2 = 0 
if m mi 



Lemma 7.1 (The Framework User’s Proof Burden). 



J. Axioms 3.3, 6.1, and 3.4 hold. 

2. WB+Std(M). 

3. NM(S). 

4 . If ti —I t 2 , then t[ti] —I t[t 2 ] for any context t. 



□ 



Proof. Many standard proofs by induction which are left to the reader. The 
only difficult bit is BE(M) (part of WB+Std(M)). First, Trm(M) is proven by a 
known argument (e.g., see [5]) of rearranging the mark values so that rewriting 
decreases the multiset of all marks in the term in the multiset extension of <. 
Because the rewriting system is finitely branching, this is equivalent to Bnd(M), 
which in turn implies BE(M). □ 



Theorem 7.2 (Meaning Preservation). § C MP. 



□ 



Proof. Everything implicitly relies on lemma 7.1(1). By lemma 7.1(2) and theo- 
rem 5.4(1), SLift(M) and SProj(M). By lemma 4. 2(2, 3, 5, 7, 9), SflM = M C LPT. 
By lemma 7.1(3) and theorem 6.4, § C LPT. By theorem 4.3(1), § C MP. □ 

Corollary 7.3 (Observational Equivalence). Ifti — ^ t 2 , then result(t [ti]) = 
result(I[t2])- □ 

Proof. Suppose ti — > ^2- By lemma 7.1(4), t[ti] — > t[t 2 ]. By theorem 7.2 and 
the definition of MP, result(t [ti]) = result(t[t2])- □ 



8 Related Work 

The most closely related work is by Machkasova and Turbak [16, 17, 18]. Their 
work is discussed throughout this paper, so only a few points will be made 
here. First, our BE property corresponds to their complicated notion of 7- 
development [18, sec. 4.5]. The 7-development idea may be implicitly the same 
as BE [18, p. 193], but the exact relationship is unclear due to the complexity. 
Second, Machkasova’s requirement of 7-confluence on evaluation is incompara- 
ble with our requirement of evaluation subcommutativity (axiom 3.3). Because 
7-confluence involves the complicated 7-development machinery, we prefer our 
simpler requirement. Third, our proof diagrams for parts 1 and 2 of lemma 5.3 
are similar to some in [18], but are simpler because we do not use 7-developments 
and we treat marks for developments separately (section 6). 
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Ariola and Blom [2] define the notion ARSI (ARS (abstract rewriting system) 
with information content). Using the ordering of an ARSI A, they obtain the 
infinite normal form of a term t from the information content of all terms t' 
such that t — » t' . They show how to prove A preserves infinite normal forms by 
finding a subset e- > C — > satisfying a diagram roughly like this [2, cor. 4.14]: 

t\^t2 

I 

tz\»ti 

The quickest explanation of their o relation is to point out that the closest 
corresponding diagram in our AES framework would be this: 

S G GLP ^ ^ isu(N-) 

H ->*t4 

Key differences between the Ariola/Blom approach and ours are as follows. 
First, they provide no abstract methods for proving their diagram (corresponding 
to our elementary diagrams in section 5) but instead prove it individually for 
each use. Second, the GLP diagram is a stronger requirement than LPT (in 
fact, LP C GLP C LPT), so our methods in section 4 are more general. Third, 
their framework does not provide help in showing the correspondence (needed to 
prove observational equivalence for the rewriting system) between infinite normal 
forms (their notion of meaning) and the actual operational semantics, so this 
burden is left to the user. Fourth, they encourage using a notion of information 
content which is more complicated than needed for proving meaning preservation 
(unlike our set M); in fact, their information content seems enough to build a 
fully abstract model. 

Odersky [23] gives conditions proving that a proposed contextually closed 
transformation ~ is an observational equivalence. One condition is that ~ is 
locally stable [23, p. 2, diagram (2)]: 



ti—*t2 



The relation is parallel similarity, i.e., the use of ~ simultaneously at many 
different (presumably non-overlapping) positions. Another condition is that ^ 
preserves answers, i.e., ~ O (is-nf(E, ^ 2 ) U — » 0)- 

Odersky ’s approach is related as follows. Where Odersky uses — > (normal 
rewriting) and ~ (observational equivalence), we would use ^ and Odersky ’s 

approach has two versions. In the version shown above, meaning preservation is 
defined as convertibility in the entire rewriting system with a set of answers (E- 
normal forms in our setting). The question is then whether more rewrite rules 
can be safely added. In this case, the diagram must be proven for all rewrite 
steps. The other version takes an evaluation strategy like we do. In this case, 
using ~ on the bottom edge seems more general, but it also seems that in practice 
this diagram edge would be completed with E steps. Where Odersky uses ~i. 
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we would typically use and a combination of one of the well-behavedness 

conditions of section 5 and the marks of section 6. Odersky’s use of parallel 
(simultaneous) rewriting corresponds to our use of a termination property. 

Key differences between Odersky’s approach and ours are as follows. Much 
of Odersky’s approach is tied to syntactic extensions of the A-calculus while our 
approach is abstract. Odersky does not provide elementary diagrams where each 
given edge is a single use of a rewrite rule; it seems that one must work with 
full parallel similarity. Odersky appears to assume standardization is already 
proven while our approach proves whatever standardization is needed and can 
work without it. Odersky’s approach requires a notion of “preserving evaluation 
contexts” which we do not fully understand but which we are fairly sure one of 
our intended applications does not satisfy. Odersky does not distinguish terms 
that go wrong from those that either diverge or halt normally; thus his framework 
can not verify that rewriting does not switch between non- wrong and wrong. 



9 Future Work 



The generalizations of our AES framework and LPT diagrams were developed to 
handle ^:=Jetrec^ ^ calculus we are developing for reasoning about call-by-value 
higher-order programs with mutable reference cells and mutually recursive def- 
initions (i.e., letrec). Evaluation of assignment statements can introduce cycles 
in the store, so evaluation results may need letrec even if the initial program 
was letrec-free. A specific evaluation strategy is given for the y— calculus to 
define the meaning of programs. Calculi for assignments have been done before 
(e.g., [11]), but also includes improvements like very simple evaluation 

contexts as well as rules for letrec in the style of the work of Ariola and Blom [2] . 
The only previously known methods for reasoning about the correctness of Ari- 
ola/Blom style letrec rules seem more difficult to us. 

The development of A’"’'®*’®® is nearing completion. Because A’~’'®*''®® is non- 
confluent (due to using rules for letrec that Ariola and Klop [5] proved non- 
confluent), we were using the lift & project method to prove meaning preser- 
vation. It does not have finite developments, but has a number of rule subsets 
whose associated rewrite step sets satisfy the BE property. The last barrier to 
completing the proof of meaning preservation was several critical pairs of a rule 
named [lift] (name unrelated to the Lift diagram from definition 4.1). One par- 
ticularly irritating critical pair is only completable as follows: 



N,[lift] 



H4 



0 



Unfortunately, this breaks standardization, so the lift & project proof method 
fails. We considered changing the definition of A’^’'®*'"®®, but felt that the changes 
to “fix” this critical pair would probably break something else. Also, the rules 
of A’^''®*’’®® are clearly meaning preserving, so we felt that rather than forcing 
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^:=,ietrec ^j^rough awkward contortions to fit a weak proof method, it was the 
proof method that should be fixed. Fortunately, the WB\Std property can be 
proven for the [lift] rule steps, so we expect to complete the work soon. 

After jg completed, we want to apply our proof methods to equational 

reasoning for assembly language and maybe also to explicit substitutions. 
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Abstract. We introduce a new higher-order rewriting formalism, called 
Expression Reduction Systems with Patterns (ERSP), where abstraction 
is not only allowed on variables but also on nested patterns. These pat- 
terns are built by combining standard algebraic patterns with choice 
constructors used to denote different possible structures allowed for an 
abstracted argument. In other words, the non deterministic choice be- 
tween different rewriting rules which is inherent to classical rewriting 
formalisms can be lifted here to the level of patterns. We show that 
confluence holds for a reasonable class of systems and terms. 



Introduction 

Higher-order rewrite systems are able to combine formalisms coming from proof 
theory, such as A-calculus, with formalisms arising in algebraic specifications, 
such as first-order rewrite systems. The main idea behind higher-order rewrit- 
ing concerns the transformation of terms in the presence of binding mechanisms 
for variables and substitutions. Thus for example, functional and logic program- 
ming, equational reasoning, object-oriented programming, concurrent systems 
and theorem provers may be encoded by higher-order rewrite systems. 

Many higher-order rewrite systems exist in the literature starting at the sem- 
inal work by J-W. Klop [15]. Many other interesting formalisms [4,13,17,20,22] 
were introduced later. The theory of higher-order rewriting is considerably more 
involved than that of first-order rewriting; many articles were devoted to the 
study of its foundations, applications, semantics and implementation. 

In all the higher-order formalisms mentioned before the binding mechanism 
is only allowed on variables. However, most popular functional languages and 
proof assistants allow definitions by cases via pattern-matching mechanisms. 
Thus, a natural extension of higher-order rewriting consists in the use of binders 
for patterns so that a projection function like \{x, y).x would be also acceptable. 

The Pattern- Matching Calculus [12], proposed as a theoretical framework 
to study pattern-matching in a pure functional paradigm, allows precisely this 
kind of binding mechanisms. Its evaluation process is given by the following 
generalization of the standard /3-rule to the case of patterns: 

(Ppm) app{XK.M,N) — > M{XbyA^} 

where X denotes a pattern and {X by N} denotes a substitution resulting from 
the pattern-matching operation on the pattern X and the term N. 
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This calculus was later extended with explicit operators [6,5,9]; weak reduc- 
tion was widely studied in [9]. Another language allowing abstractions on pat- 
terns is the /9-calculus [8], for which typing [14] and explicit operators [7] were 
defined and analyzed. 

In this paper we introduce a new higher-order formalism, called Expression 
Reduction Systems with Patterns (ERSP), where binding mechanisms are al- 
lowed on complex patterns. Our calculus constitutes an extension of ERS [13] and 
SERS [4] to the case of patterns, and a generalization of the Pattern-Matching 
Calculus to the case of general higher-order rewriting (and not only functional 
rewriting). ERSP patterns are defined as combinations of standard algebraic 
structures with special choice constructors used to denote different possible syn- 
tactic forms for any abstracted argument. Thus for example, the function which 
computes the length of a given list may be specified as the following ERSP term: 

A a{nil, cons{x, t)).a{0, 1 -I- len{t)) 

where A is the classical function binder, a is a special variable used to identify 
the set of choice patterns nil and cons{x, t) with the set of their corresponding 
continuations 0 and 1 -I- len{t). 

We carefully extend all the expected notions of rewriting to our framework, 
namely, terms, metaterms, rewrite rules, substitutions, reduction, etc. We then 
identify a class of ERSP, called orthogonal l-constructor systems, and a class of 
terms, called l-constructor deterministic terms, for which confluence holds. More 
precisely, reduction on this class of terms via this class of systems corresponds to 
reduction on ordinary terms (without patterns) in classical orthogonal higher- 
order systems [17,20]. Much more, our confluence result turns out to give in 
particular a confiuence result for SERS. 

The paper is organized as follows. Sections 1 and 2 introduce the basic in- 
gredients of the syntactic formalism ERSP. In Section 3 we develop an example 
of reduction in our framework. Section 4 is devoted to study a restriction of the 
class of ERSP so that confiuence will follow (Section 5). We conclude and give 
many further research directions in Section 6. By lack of space we cannot provide 
here all the proofs but a complete version of this work can be found in [10]. 



1 Basic Notions of the ERSP Formalism 



We consider a set UV of usual variables denoted x, y,z, . . a set CV of choice 
variables denoted a, 6, c, . . ., a set W of pattern metavariables denoted X, Y, . . ., 
a set TV of term metavariables denoted M,N, . . ., a set T of function symbols 
equipped with a fixed (possibly zero) arity, denoted f,g, h, . . a, set B of binder 
symbols denoted A,/i, jz, .... We assume all these sets to be denumerable and 
disjoint. When no special distinction is needed for the previous sets of variables 
and metavariables will use the symbols x,y,'z, . . .. 
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Metapatterns (p) and metaterms (t) are generated by the grammars: 



p ::= X usual variable 

I X pattern metavariable 

I algebraic 

I a{p,...,p) choice 

I @{p, . . . ,p) contraction 

I _ wildcard 



t ::= X usual variable 

I M term metavariable 

I f{t, . . . ,t) algebraic 

I a{t, ■ ■ ■ ,t) case 

I pp.t abstraction 

I t{p by t} pattern-matching 



The constructor @() is varyadic, i.e. it has no fix arity. The constructor a( ) 
is also varyadic, but with an arity different from 0. We assume that whenever a 
choice variable a appears inside t, then all its occurrences have the same arity : 
thus, a term like pa{x).a{x,y) is not allowed. The symbol { by } is called the 
pattern-matching constructor. The metaterms pp.t and t{p by t'} define bindings 
whose scope is t for all the (usual and choice) variables occurring in p. 

A metapattern (resp. metaterm) is said to be a pattern (resp. preterm) if 
it contains no metavariables. A preterm is said to be a term if it contains no 
pattern-matching constructors. 

We denote by MV{p) (resp. Var{p)) the set of all the pattern metavariables 
(resp. variables) appearing in a metapattern (resp. pattern) p. We denote by 
MV{t) the set of all the term metavariables appearing in t. 

Definition 1. A metapattern is called linear if each variable and metavariable 
appears at most once in it. We use the notation p € p' to say that the metapattern 
p appears inside the metapattern p' . A metaterm t is called p-linear iff every 
metapattern p in t is linear. 

Let us illustrate the use of our syntax by considering the fibonacci func- 
tion specified by the equations fib(0)=0, fib(l)=l and f ib(x+2)=f ib(x) 
+f ib(x+l) . 

Using a choice variable a of arity 3 to encode the three different choices given 
by the previous specification, one possible specification of fib in our syntax is: 



fib{M) — >■ app{\ a(0, s(0), s(s(a;))).a(0, s{0),app{fib, x) + app{fib, s{x))), M) 



where app is the application symbol, A is the classical function binder, and 
natural numbers are encoded by 0, s(0), s(s(0)), .... 



A position is a word over the alphabet IN; we use e to denote the empty word. 
The set of positions of a metaterm t, denoted VOSff), is defined as usual [1] 
except for the term s{p by u} for which we have 1.1. g G VOS{s{p by u}) if 
q G VOS{s) and 2.q G VOS{s{p by u}) if g G VOS{u) (see also [4] and [10]). 
The justification of this case comes from the fact that s{p by m} is informally 
considered as “app{pp.s,u)” when reasoning about positions. The submetaterm 
of t at position p is written as t\p. When t\p = u, we will say that p is an 
occurrence of m in t. 

The following notion is used to describe the set of variables/metavariables 
appearing along a given path which will play latter a role of “bound” objects in 
a terms/metaterms. 
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Definition 2 (Parameter Path). Given a metaterm s and p G 'POS(s), we 
define the parameter path of s at position q, written W{s,q), as the following 
subset of variables and metavariables of s: 

VV{s,e) =0 

'P'Pifisi, • • • , Sn), i.q) = VV{si, q), foriG{l...n} 
VV{a{si,...,Sn),i-q) =VV{si,q), foriG{l...n} 

W{pp.s, l.g) = Var{p) U MVfp) U W{s, q) 

W{u{p by ?;}, 1.1. g) = Vor(p) U MV{p) U W{u, q) 

W{u{phY v},2.q) ='P'P[v,q) 

As an example, if t = M{g(X, x) by ua(Y, s(Y)).N}, then we have Wit, 2) = 
0, W{t, 1.1) = {X, x}, and W{t, 2.1) = {Y, a}. 

We assume that different “non parallel” metapatterns appearing on a same 
path cannot share (meta)variables. Thus for example, /iX.AX.M or Xx.px.M are 
not allowed but the metaterm t given above is allowed. This is just a generaliza- 
tion of what is called “Barendregt’s convention on bound variables” . 

The set of free (meta) variables of a metaterm t, written TV{f), is defined 
as usual. All the variables appearing in a metaterm t that are not free are 
called bound variables. Without loss of generality we assume the sets of free and 
bound variables to be disjoint. We work modulo a-conversion on preterms, so 
that renaming of bound variables is used when necessary to avoid clashes. Thus 
for example pa{x,y,z).a{x,x,v) =a pb{x' ,y' , z').b{x' ,x' ,v). 

Definition 3 (Well-formed metaterm). A metaterm t is well-formed iff t 
has no free occurrences of choice/usual variables. 

The metaterms px.M, /iX.M, jjLx.f{M, x) and pa{x, y).a{x, y) are well-formed 
while f{a{g,g)) and f{x) are not. 

The following notion is used to talk about the free variables of a term which 
remain after a given choice on a choice variable. 

Definition 4 (Localized Free Variables). Given a € CV, i > 1 and a 

preterm t, the set !FVl^{f) of localized free variable oft can be defined as usually 
done for the set of free variables except for the following case: 

TVl(a{h, ..., tn)) = TVliU) tfl<i<n 

Indeed, iFV\{b{x,y, z)) = {b,z,x,y} for any i and TV\{a{x,y, z)) = {x}. 
Moreover, as we work modulo a-conversion we have TV\{pa{x, y).a{f{x, z),u)) = 
TV\{pb{x,y).b{f{x,z),u)) = {z,u}. 

Definition 5 (Acceptable preterms). Acceptability is the least relation on 
preterms containing the variables such that: 

— If t\, . . . ,tn are acceptable, then /(ti, . . . , t„) and a{ti, . . . , t„) are acceptable 
for any f G IF and any a G CV. 
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— If t is acceptable and p is a pattern, then for all a{pi, . . . ,Pn) € p, for all 
i € 1 . . . n, and for all j ^ i such that {iFVl^{t) \ Var{pj)) fl Var^pf) = 0, we 
have that ptp.t is an acceptable term. 

— If pLp.t and u are acceptable, then t{p by m} is acceptable. 

The role of acceptability is to prevent the creation of new free variables 
during evaluation. Indeed, the terms iia{x,x).a{x,x) and iia{x,y).a{x,y) are 
acceptable while ya{x,y) .b{x,y) is not since IFV\{b{x,y)) \ Var(a;) = {y,b} and 
{y,b} n Var{y) = {y}. The term fj,a{x,y).a{y,x) is neither acceptable: if we 
choose the first branch x in the pattern a{x,y) we have then to consequently 
choose the first branch y in the term a{y, x), thus y becomes a new free variable. 

Precontexts are preterms with one (and only one) occurrence containing a 
distinguished constant called a “hole” (and denoted □). A context is a precontext 
with no occurrence of the pattern-matching constructor. We remark that the 
notion of acceptability is not closed by precontexts as for example the preterm 
a{x,y) is acceptable but Xa{y,x).a{x,y) is not. 

Definition 6 (Metasubstitntions/Substitntions). A metasubstitution 9 is 
a pair {0m, 9y), with 0m a denumerable set of pairs X > p and M \> t, and 0y 
a denumerable set of pairs x > t and a t> i, where t is a term, i is a natural 
number and p is a pattern. Application of 0 to a (meta)variable x is defined 
as 9x = o if X > o € 0, and 0x = x, otherwise. We define id as the empty 
substitution, i.e. idx = x for every x. The domain of 0 is given by Dom{0) = 
{x \ X o & 0 and o yf x}. A substitution 0 is a metasubstitution such that 
Dom{9m) = 0. A metasubstitution 0 = {0m, 0v) is said to be well-formed iff 
mOmM)) fl Dom{0y) = 0. 

The union of two well-formed metasubstitutions 0\ and 6*2 is denoted by 
0\ U 02 - This union is only defined if the resulting metasubstitution is well- formed 
and if for every (meta)variable x € Dom{0i) fl Dom{02) we have 0ix = 02X. 

We are now ready to define the notion of pattern-matching. This operation 
is not defined in general as a function from patterns and terms to substitutions 
but from patterns and terms to sets of substitutions. We will see latter how to 
ensure the uniqueness of this result. 

Definition 7 (Pattern- matching). For each pair {p,t), where p is a pattern 
and t is a term, we associate a set of substitutions as follows: 

id G I _ by tj- 

{x 0 t} G by t^ 

6*1 U ... U G t@(Pi. • • • .Pn) by if0i&iPibjtJ 

01 U ... U 6 *„ G |/(pi . . .p„) by /(ti . . .t„)S- if 0i & \pihY til 

{a t> i} U 9i G fa{pi ...pn) by tj if 0t G by fl 

We remark that in the last three cases the result of Ip by t|- is defined only 
if U is defined. Also, all the substitutions in by tj- are well- formed since 
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they do not map metavariables. When by is a singleton we will make an 
abuse of notation by writing by tj to denote the only element of this set. 

As an example of the previous definition, the pattern-matching -§^a(0, x) by 0|- 
has two solutions: {a c> 1} and {a c> 2, cc t> 0}. This comes from the fact that the 
pattern a(0, x) contains two “overlapping” subpatterns 0 and x. 

Definition 8 (Acceptable/linear metasubstitution). A metasubstitution 
9 is said to be acceptable (resp. linear) iff for every (meta)variable x G Dom{9), 
9x is acceptable (resp. linear). 

It is time to make the point w.r.t capture of variables in higher-order rewriting. 

In CRS [15,16] for example, a metaterm like Xx.M{x) allows the (eventual) 
capture of the variable x while Xx.M does not. In this formalism the /3-rule has 
to be written as app{Xx.M{x),N) — i M{N) which does not correspond to the 
traditional way to express the /3-rule. 

In ERS [13] there is a metasubstitution operator which allows to express the 
/3-rule in a more traditional way as app{Xx.M, N) — M{x/N}. The instanti- 
ation of the metavariable M may or may not capture the variable x. However, 
we cannot assume a-conversion on metaterms in this formalism: if we suppose 
Xx.M =Q, Xy.M, then the instantiation of M by a; will give two non a-equivalent 
terms Xx.x Xy.x. In order to properly handle a-conversion on terms but not 
on metaterms two different levels of syntax are needed, and this is the approach 
taken in general in the ERS formalism (see also [4]). 

To allow a-conversion on the level of terms but not on that of metaterms a 
special notion of instantiation is needed, so that application of a metasubstitution 
9 = {9m, 9y) to a metaterm will be split into two different steps: 9m is used as 
first-order replacement, so that capture of variables can be provoked, while is 
used as higher-order substitution, so that no capture of variables is possible. 

Definition 9 (Applying a metasubstitution). Given a metasubstitution 9 = 
{9m, 9v) and a metaterm t, the application of 9 to t (or instantiation oft by 9) 
yields a set of terms, written 9{f), which is computed in two steps: 

1. First compute the first-order replacement 9m{f) obtaining a preterm s (in 
the case where 9m{f) is not still a preterm the application is not defined) 

2. Then compute the set of terms 9y{s), where 9y is a higher-order substitution 
which works modulo a-conversion defined as follows: 



9vX 


e 9y{x) 


if xG Dom{9y) 


X 


€ 9y{x) 


if X ^ Dom{9y) 


p,p.t' 


e 9y{pLp.f) 


if t' G 9y{f) and no capture of variables holds 


f{t'i," 


0y{f{tl,.. 


. . ,t„)) ift{ G 9y{U) 




G 9y{a{t\, . . 


■,tn)) if 9 yQ = i and t{G9y{ti) 
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. . /„) G Oy{a{ti, . . . ,tn)) ift'^ G 9y{ti) and a ^ Dom{9„) 
t' &9y{t{p'bY u}) z/u' G G |pby u'S-, 

t'G(0; U 9,){t) 

and no capture of variables holds 

When the metasubstitution 0 is a substitution, we may make an abuse of 
notation by writing 9{t) instead of 9y{t). We also remark that if a metaterm t 
has no pattern-matching constructor, then, if defined, 9{t) is a singleton. 

Another interesting observation is that even when of some metasubstitu- 
tion 9 is empty, the second step of the previous procedure must be computed on 
preterms (which still have pattern-matching constructors to be eliminated). 

Let us see how the application of a metasubstitution works on an example. 
Consider 9= {9^,9^), where 9m = {K/ a{x, f{z,y)) , M / a{g{x,x), z) , N / f{x,x)} 
and 9y = 0. In order to compute 9{M{K by N}) we first compute 9m(M{X. by N}) 
which gives the preterm t = a{g{x, x),z){a{x, f{z, y)) by f{x, x)}. 

Now, since a-conversion is allowed on preterms, we obtain 

t =a a{g{x', x'),z){a{x', f{z, y)) by f{x, x)} = t' 

Now, the computation of ^a{x' , f{z,y)) by /(x,x)J- gives {pi,P2}, where 
Pi = {a t> l,x' \> f{x,x)} and p2 = {a > 2 , z > x,y > x}, and thus, the second 
step of the application procedure finally gives a set 

9v(t') = {g(/(x,x),/(x,x)),x} 



Lemma 1. If t is acceptable and 0 G f p by t^, then 9 is acceptable. Also, if t 
and 9 are acceptable then so is 9{f). 

2 Rewrite Rules and Reduction Relation 

This section introduces the precise syntax used to specify rewrite rules in the 
ERSP formalism as well as the reduction relation associated to them. 

Definition 10. An Expression Reduction System with Patterns (ERSP) is a set 
of rewrite rules of the form I — > r (written also {I, r) ) such that: 

• I and r are well-formed metaterms, 

• the first symbol (called head symbol) in I is in EUB, 

• MV{r) C MV{1), 

• EV{r) C EV{1), and 

• I contains no occurrence of the pattern-matching constructor. 

Thus for example, the rule app{XK.M, N) — >■ M{X by N} given in the in- 
troduction, which generalizes the classical /3-rule to the case of patterns, belongs 
to our framework. 

In order to be able to guarantee that no free variable is “generated” during 
reduction the following notion will be necessary. 
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Definition 11 (Path condition). Let M he a term variable and t be a meta- 
term. We consider all the occurrences pi, . . . ,p„ of M int and their correspond- 
ing parameter paths li,...,l„. A metasubstitution 9 is said to have the path 
condition property for M in t iff: 

Vx G iFV{0mM), (VI < i < n,x € 9mk) V (VI < i < n,x ^ Omk) 

where the notation 9ml denotes the set ^mX. 

This notion is extended to rewrite rules by saying that 6 has the path condition 
for M in {I, r) iff it has the path condition for M in f{l, r), where f is any binary 
function symbol. This trick is used to consider a rule as a unique “tree”. 

The classical example of path condition which is not satisfied for a rewrite 
rule is given by the vy-rule of the A-calculus (see for example [13,4]). Another rule 
in the same spirit but using patterns is A/(X).M — ^ M. The metasubstitution 
6 = {\ > X, M x} does not satisfy the path condition for M in this rule. 

We now define the set of “good” substitutions to instantiate rewrite rules. 
For that we remark that given a rewrite rule I — > r, the metaterm I does not 
contain the pattern-matching constructor, so that for any metasubstitution 6 
the term 0{l) is a singleton. 

Definition 12 (Admissible metasubstitution for metaterms/rules). A 

metasubstitution 0 is admissible for a metaterm t iff 

— 0{t) contains only acceptable terms 

— 0 has the path condition for every term metavariable appearing in t. 

A metasubstitution 0 is admissible for a rule (l,r) iff 9 is admissible for f{l,r), 
where f is any binary function symbol. 

We remark that this definition implies that given a rule {l,r) both 0{l) and 
0{r) are defined, so in particular all the pattern/term metavariables in I are also 
in Dom{0m)- 

Definition 13 (Admissible reduction relation). Let TZ be a ERSP. We say 
that s rewrites to t, written s — y-ji t (or s-^-ji t when the distinction must be 
done), iff there exists a rule (l,r) &TZ, a well-formed admissible metasubstitution 
9 for (l,r) and a context C such that s = C[0{1)] and t G C[0{r)]. 

Even if the relation — >- 7 ^ is defined on any kind of terms, the reduction can 
only take place on acceptable subterms. 

As expected, the relation reduction enjoys good preservation properties. 

Lemma 2. Assume s — t. Then TV]^{f) C V^V[j(s) (for any a and any i) 
and !FV{f) C !FV{s). Also, if s is acceptable, then so is t. 
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3 A Complete Example 

We consider in this section the well known higher-order function map which 
takes a function / and a list I and returns the result of applying / to each 
element of 1. This function can be specified as the following Ocaml [18] program: 

#let rec map(f,l) = match 1 with 

Nil -> Nil 

I Cons(h,t) -> ConsCf (h) ,map(f ,t) ) ; ; 

It can also be specified as the following ERSP rewrite rule: 
map{fj3L.F, L) — > 

a{nil, cons{F{X by h}, map{fj3L.F, t))){a{nil, cons{h, t)) by L} 

Let us see how this implementation of map works on a concrete example. 
Suppose that we represent natural numbers with constructors 0 and s and let us 
consider pred =def pb{0, s(n)).b(0, n) in order to denote the predecessor function 
on natural numbers. Using the metasubstitution 9 = {9m, 9^), where 9m = {X > 
b{0,s{n)),F t> h{0,n),L t> cons{0,cons{s{s{0)),nil))} and 0^ = 0 to fire the 
previous rewrite rule, we can construct the following derivation: 

ti = map{pred,cons{0,cons{s{s{0)),nil))) — > 
t 2 = cons{0, map{pred, cons{s{s{0)) , nil))) 

Indeed, the term ti is an instance of the left-hand side of the previous 
rule. In order to obtain t 2 we have to apply 9 to the right-hand side of the 
previous rule. For that, we first instantiate {a{nil,cons{h,t)) by L} with 9m, 
then since 9v{9m{L)) = 9m{L), we can compute the pattern-matching opera- 
tion ^a{nil,cons{h,t)) by cons(0, cons(s(s(0)), We then obtain a sub- 
stitution 9'j^ = {a 2, h > 0,t t> cons{s{s{0)),nil)}. Now, we have to in- 
stantiate a{nil , cons{F {%. by h},map{pH.F,t))) with 9m, then proceed with 
the application of 9'^ to this last instantiation. The only delicate part is the 
one concerning the submetaterm F{X by h}. We have 9m{F{X by h}) = 
6(0, n){6(0, s{n)) by h} = t' and 9^(1') = 6(0, n)fb{0, s{n)) by OJ- = 0. 

The reader may verify that this sequence of operations finally leads to the 
term t 2 - Similarly, we can then continue the reduction till cons{0, cons{s{0), nil)). 



4 Towards a Subclass of Confluent ERSP 

The following two sections are devoted to the study of confluence for a certain 
class of ERSP which are called the orthogonal l-constructor ERSP, and a certain 
class of terms, which are called l-constructor deterministic terms. Intuitively, an 
orthogonal ERSP is left-linear and not overlapping. Sufficiency of orthogonality 
for confluence in first and higher-order rewrite systems is well-known [1]. A con- 
structor ERSP is a system TZ where the set of function symbols is partitioned 
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into two different subsets, namely, the set of constructors, which cannot be re- 
duced, and the set of defined symbols, which cannot be matched. As an example, 
let us consider the following system which is not a constructor ERSP. 

TZ : a — > b, app{na.c, M) — > c{a by M} 

The term app{pa.c, a) can be reduced to both app{p,a.c, b) and c which are 
not joinable. Thus, TZ turns out to be non confluent. 

Unfortunately, orthogonal l-constructor ERSP do not immediately guarantee 
conffuence as the rule app{XK..M,N) — >■ M{X by N} shows: the term t = 
app{\a{x,y) .a{Q, 1),3) has two non-joinable reducts 0 and 1 by this unique rule. 

The reason is that t contains two “overlapping” patterns x and y inside the 
choice pattern a{x, y) . The failure of the conffuence property in this case is com- 
pletely natural since the term t corresponds, informally, to a “non-orthogonal” 
first-order rewriting system. It is then clear that we have to get rid of this class 
of terms in order to get a confluence result, this will be done by introducing the 
notion of l-constructor deterministic terms. 

We are know ready to give a formal definition of all these notions. 

Definition 14 (L-constructor system). TZ is said to be l-constructor iff 

— The set T of function symbols can be partitioned into two sets Tc and Td, 

called respectively constructors and defined symbols, such that: 

• Each defined symbol is the head of some left-hand side of TZ. 

• All the function symbols in metapatterns ofTZ are constructors. 

— For every rule (l,r) G TZ, both I and r are p-linear metaterms. 

The system TZi = {/3pm} U (0 -I- /V — >• N,s{M) -\- N — >• s(M -|- A^)| 
is l-constructor. The system TZ 2 = |^/(X).M — >• M, /(O) — >■ 0} is not 1- 
constructor since the function symbol / appears as the head symbol of some 
rule and inside a metapattern of TZ. The system TZ 3 = {/x/(X, X).0 — >■ 0} is 
not l-constructor since /i/(X, X).0 is not p-linear. 

Definition 15 (L-constructor objects). Given a l-constructor system TZ, we 
say that a metapattern is l-constructor iff it is linear and all its function sym- 
bols are constructors ofTZ. A l-constructor metaterm contains only l-constructor 
metapatterns. A metasubstitution 9 is said to be l-constructor iff 9{x) is l-construc- 
tor for any x € Dom{9). 

As an example concerning our previous system TZ\, we can observe that the 
metapattern s(X) is l-constructor but X -|- Y is not since the symbol -I- is not a 
constructor function symbol. 

We remark that if p is a l-constructor pattern and -fp by t\ is defined then 
all its elements are l-constructor substitutions. 

Definition 16 (L-constructor reduction relation). IfTZisa l-constructor 
system, we say that s constructor rewrites to t (written s-^n t) iff there exists a 
rewrite rule {l,r) &TZ, a well-formed l-constructor metasubstitution 9 admissible 
for (l,r) and a context C such that s = C[9{1)] and t € C[9{r)]. 
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As an example, given the previous system T^-i, we have 0 + 0—^^^ 0 but we 
do not have t = app{X{0 + 0).3,0 + 3 (even if we have 3) since 

the term t is not an 1-constructor term. 

One can remark that whenever t is a 1-constructor preterm and 0 is a 1- 
constructor substitution w.r.t. TV{t), then 0{t) contains only 1-constructor terms. 
Also as expected, 1-constructor terms are preserved during reduction. 

Lemma 3 (Preservation of 1-constructor terms). If TZ is I- constructor, s 
is [-constructor and s-^n t, then t is I- constructor. 

Definition 17 (Left linear systems). A rewrite rule I — r is said to he left 
linear iff I contains at most one occurrence of any term metavariable. A system 
is left linear if all its rule are left linear. 

As an example, the rule f{M, M) — ^ 3 is not left linear while f{M) — >■ 
g{M,M) and pLx.f{x,x) — S> 0 are. 

Definition 18 (Redexes and overlapping redexes). A term t is said to he 
a redex if it is an instance of some left-hand side of rule that is t = 9{l) for some 
rule (l,r). A rewrite system is said to he non-overlapping iff 

— Whenever a redex 9{lj) contains another redex 9'(fi), then 9'{li) must be 
contained in 9{M) for some term metavariable M of Ij. 

— Likewise whenever a redex 9{l) properly contains another redex instance 9'{l) 
of the same rule. 

Definition 19 (Orthogonal systems). A rewrite system TZ is said to be or- 
thogonal iff TZ is left-linear and non-overlapping. 

As an example, the system {f{px.x) — > 0,/xX.y — > 1} is overlapping : 
the redex f{py.y) = 9{f(iix.x)) contains the redex py.y = 9'{fj3i.y). The system 
{f{pX.M) — 0,AZ.A^ — >• (/(2)} is orthogonal. 

We now introduce I- constructor deterministic terms for which the class of 
orthogonal 1-constructor ERSP will be confluent. Let us start by the following 
notion. 

Definition 20 (Overlapping patterns). Two patterns p and q are said to be 
overlapping iff there exists a term t s.t. both fp by t^ and -§((7 by t^ are defined. 

The patterns /(_,x) and f{y,g{0)) are overlapping. Also a(0,s(a;)) and 
6(s(0), s(s( _ ))) are overlapping. 

Definition 21 (Deterministic patterns/terms). A pattern p is said to be 
deterministic iff whenever a{p\, . . . ,p„) appears inside p, then for all i j the 
patterns pi and pj are not overlapping. A term t is said to he a deterministic 
iff t is acceptable and for every pattern p appearing in t, p is deterministic. 

Thus for example, &(s(0),s(s( _))) is deterministic but 6(s(0),s( _)) is not. 
This definition implies that whenever p is a deterministic pattern, then there 
exists at most one substitution 9 belonging to -§(p by t^. 
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Definition 22 (Deterministic metasubstitution for metaterms/rules). 

A metasubstitution 9 is said to he deterministic for a metaterm t iff 

• 6 is admissible for t, 

• 6{f) contains only one deterministic term, 

Finally, 6 is deterministic for a rule (l,r) iff 6 is a deterministic for f{l,r), 
where f is any binary function symbol. 

A metasubstitution 9 is deterministic iff 9x is deterministic Vx € Dom{9). 
Deterministic terms are stable by deterministic substitutions. Also, the substi- 
tution obtained by performing a pattern-matching operation on a deterministic 
pattern p and a deterministic term t turns out to be deterministic. 

Definition 23 (Deterministic reduction relation). Given a system TZ, we 

say that s deterministicly rewrites to t (written s-^n t) iff there exists a rewrite 
rule (l,r) G TZ, a well-formed deterministic metasubstitution 9 for (l,r) and a 
context C such that s = C[9{1)] and s = C[9{r)]. 

From now on we use the notation -^7?, to denote H -^-r, ■ As 

expected, orthogonal systems allows us to preserve deterministic terms. 

Lemma 4 (Preservation of deterministic terms). Given an orthogonal sys- 
tem TZ, if s is deterministic and s-^n t, then t is deterministic. 

5 The Confluence Proof 

c d 

This section is dedicated to show that the relation is confluent for orthogo- 

nal 1-constructor ERSP, that is, orthogonal 1-constructor ERSP are confluent on 
1-constructor deterministic terms. This confluence property can only be proved 
on the set of acceptable 1-constructor deterministic terms. The proof uses a tech- 
nique due to Tait and Martin-L6f [2] and can be summarized in four steps: 

• We define a parallel reduction relation denoted i^c,d ■ 

c d ^ 

• We prove that ^W>c,d* and are the same relation. 

• We show, using Takahashi terms [19], that ^^c,d has the diamond property 
on the set of acceptable 1-constructor deterministic terms. 

• We conclude by the fact that the diamond property implies confluence. 

In order to define the i^c,d reduction relation, we first need to extend 
relations on terms to relations on substitutions. 

Notation 1 Given any relation between terms and given two metasubstitu- 
tions 9 and 9' , we write 9 9' when Dom{9) = Dom{9'), 9 and 9' coincide on 

the sets of choice and pattern variables, and for every M € Dom{9) we have 
9{M) 9'{M) and x G Dom{9) we have 9{x) 9'{x). 

In order to relate two sets S and T of metaterms/metasubstitutions via any 
binary relation we will write S' T iff Vs G S', G T, s t and Vt G T, 3s G 
S,s t . For any unary relation on metaterms/metasubstitutions, we will 
write <F{S) = U6S<^(s)- 
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We can now define the parallel relation as follows: 

Definition 24 (The simultaneous relation ^a)- 

• X X. 

• If Si :»a s'i,...,Sm s'm, then f{si,...,Sm) /(s'l , . . . , s'„) , 

fip.Si hP-s'i and a{si , . . . , s„) a(s(, ■ • ■ , s'„). 

• If 0 p, t/ien 6*(/) p{r) for any rewrite rule I — > r such that 0 is 
admissible for it. 

We will denote s t (resp. s t) if the metasubstitution 9 used in the 
Definition 24 is not only admissible but also constructor (resp. deterministic). 
We write i^c,d to denote the relation fl 

Given then for every term s we have s ^ s. Also, if 

s s' and s is not a redex, then the root symbols of s and s' are the same. 
Moreover, if also s = t/(si, . . . , Sm), then s' = f/(s(, . . . , sj„), where Si ^ s', for 
Q a function symbol, a case or a binder symbol. 

We are now ready to proceed with the second step of Tait and Martin-Lof’s 

technique which consists in showing that the reflexive-transitive closures of 
and are the same relation. 

We can show by induction on 1-constructor patterns that pattern-matching 
is stable by term reduction. 

Lemma 5. Let IZ be a l-constructor ERSP, p a l-constructor pattern and t a 
term such that t— ^7^ t' . If by t^ is defined, then by t'^ is also defined 
and Ip by |p by f'l- 

The previous Lemma does not holds if the pattern p is not l-constructor. 
Indeed, let IZ = {a — > b} and let us take the non-linear pattern pi = f{x, x) 
and the non-constructor pattern p 2 = a. We have that -^f(x,x) by /(a, a)| is 
defined and f{a,a)-^n f{a,b) but ^f{x,x) by f{a,b)J is not defined. Also, 
|a by a| is defined and a-^n b but fa by 6f is not defined. 

We can now show by induction on metaterms that reduction of metasubsti- 
tutions is stable by application: 

Lemma 6. Let IZ be an l-constructor ERSP and 9,p two well-formed l-con- 

C ^ 

structor metasubstitutions such that 9 — ^7^ p. If for any l-constructor metaterm 
t such that 9 has the path condition for t, 9{f) is defined and contains only 
acceptable l-constructor terms, then the same happens for p{t) and 9(1)-^^^ p{t). 

Lemma 6 allows us to obtain the following fundamental property. 

Lemma 7. Let IZ be a l-constructor ERSP. If 9 — >-7^ p, and 9 is a well-formed 
l-constructor admissible metasubstitution for (l,r), then 9(1)-^^^ p{r) and p is 
admissible for (l,r). 

We are now able to conclude the second step of our confluence proof: 
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cd 

Theorem 1 (Equivalence between ^^c,d* and ). If TZ is a l-constructor 

c d c d ^ 

ERSP, then t implies s ^^c,d t and s i^c,d t implies t. 

Proof. The first implication holds in a more general case, namely, that s — > s' 
implies s ^ s' for — >• G {-^ , — ^ } and any ERSP TZ. This can be shown 

by induction on the definition of ^>. The second implication can be shown by 
induction on the structure of s using Lemma 7. 

We are now going to prove the diamond property for the relation i^c,d ■ For 
that, we associate a term #(s) to every term s such that every time s ^^c,d s' , 
for some s', we automatically deduce s' l^c,d ff{s). Thus, given two different 
terms s' and s" such that s i^c,d s' and s i^c.d s", we obviously obtain a 
unique term #(s) which allows us to close the diagram with s' ^^c,d ff{s) and 
s" ~^c,d ff{s). The diamond property will immediately follow. 

Definition 25 (Takahashi terms #(s)). Given a ERSP TZ and a term s we 
define its associated Takahashi term #(s) by induction as follows: 

• If s = X, then ff{x) = x. 

• If s = /(si, . . . , Sm) (resp. s = pip. s' or a{s\, . . . , Sm) ) and s is not a deter- 
ministic instance of a left-hand side of rule, then #(s) = /(#(si), . . . , ff{sm)) 
(resp. #(s) = p,p.#{s') and #(s) = a(#(si), . . . , ff{s^))). 

• If s is an instance 9{l) of the left-hand side I of some rule I — > r, where 
9 = {9rm9v) is deterministic for (l,r), then #(s) = ff{9){r), where ff{9) = 
mOU,W)v) verifies #(0)™(M) = #(0„^(M)) and #{9),{y) = #{9„{y)). 

We can show by induction on terms the following two properties about ^>. 
Lemma 8. The term #(s) is uniquely defined in every orthogonal ERSP. 

Lemma 9. Let TZ be an orthogonal ERSP, let and let 

s ^ s'. If s = Q{si,...,Sm) and s' = f/(s(, . . . , sj„) (where Q is a function, 
binder symbol, case or variable) and Si ^ s(, then if s is a redex 9{l), s' is a 
also redex p{l), for some p such that 9 ^ p. 

Lemma 10. If TZ is l-constructor and orthogonal and s ^^c,d s', then s' i^c,d 

#(«)• 

Proof. By induction on the definition of s ^>c,d s' using Lemma 9. 

Corollary 1. IfTZ is an l-constructor orthogonal ERSP, then the relation ^c,d 
is confluent on deterministic constructor acceptable terms. 

Proof. It is well-known that a relation having the diamond property is conflu- 
ent [1] so that it is sufficient to show that ^ has the diamond property. Let 
us consider s s' and s s" . By Lemma 10 we can close the diagram with 
s' ^ #(s) and s" ^ #(s). 

By Theorem 1 and Corollary 1 we can now conclude with the main result of 
this section, namely, ^ ^ 

Theorem 2. Let TZ be an l-constructor orthogonal ERSP. The relation 
is confluent on acceptable constructor deterministic terms. 
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6 Conclusion and Further Work 

We have introduced a new Higher- Order formalism, called ERSP, in which the 
abstraction operation is not only allowed on variables but also on more complex 
patterns. This formalism can be seen as an extension of ERS [13] and SERS [4] 
to the case of patterns and an extension of [12] to the case of non functional 
rewriting rules. Many simple notions in the mentioned previous works do not 
trivially extend in our case: on one hand the complexity of ERSP does not only 
appear at the level of metaterms but also at the level of terms, on the other 
hand, binders are not always so simple as in the case of A-calculus. We carefully 
extend all the expected notions of rewriting to our framework, namely, terms, 
metaterms, rewrite rules, substitutions, reduction, etc. The resulting formalism 
is able to model pattern-matching function/proof definitions. 

The more technical part of this work is the identification of a class of ERSP 
which can be proved to be confluent on an appropriate set of terms. Our conflu- 
ence result gives in particular a confluence result for SERS. 

As mentioned in the introduction, ERSP and /9-calculus [8] are closely re- 
lated. The main difference between both formalisms lies in the class of syntactic 
patterns which are considered: our approach is mainly driven by the set of pat- 
terns appearing in functional languages and theorem provers, namely, algebraic 
patterns with choice constructors, while their approach includes other higher- 
order patterns (rules in their formalism) not really used in implementation of 
programming languages. 

Many future directions remain to be explored. The first one consists in the 
definition of implementation languages given by “explicit” versions of this for- 
malism, where both pattern matching and substitution operators are integrated 
to the syntax. This would result in generalizations of calculi defined in [5,9]. 

Also, a formal comparison between ERSP and /O-calculus must be done. In 
particular, it would be interesting to know if every system in the /9-calculus can 
be expressed in a ERSP system and vice-versa. Another interesting question 
concerns confluence since confluent /9-systems are characterized via a special re- 
duction strategy while confluence is ensured in our case by syntactic restrictions. 

Typing is another feature which remains as further work. It is however inter- 
esting to remark that the pioneer work on pattern calculi [12] which inspired the 
definition of ERSP was built, via the Curry-Howard isomorphism, on a computa- 
tional interpretation of Gentzen sequent calculus for intuitionistic minimal logic. 
As a consequence, each ERSP pattern constructor comes from the interpretation 
of some left logical rule of Gentzen calculus. It is nevertheless less evident how 
to associate a Gurry-Howard style interpretation to the entire ERSP syntax. 

Last but not least, strong normalization of ERSP has to be studied. Indeed, 
proof techniques to guarantee termination of higher-order formalisms are not 
straightforward [3,11,21] and they do not extend immediately to our case. 
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Abstract. Residuals have been studied for various forms of rewriting 
and residual systems have been defined to capture residuals in an abstract 
setting. In this article we study residuals in orthogonal Pattern Rewriting 
Systems (PRSs). First, the rewrite relation is dehned by means of a 
higher-order rewriting logic, and proof terms are dehned that witness 
reductions. Then, we have the formal machinery to dehne a residual 
operator for PRSs, and we will prove that an orthogonal PRS together 
with the residual operator mentioned above, is a residual system. As 
a side-effect, all results of (abstract) residual theory are inherited by 
orthogonal PRSs, such as conhuence, and the notion of permutation 
equivalence of reductions. 



1 Introduction 

This paper deals with residual theory: what remains of a reduction after another 
reduction from the same object has been performed? Let tp and •(/> be reductions. 
Intuitively, the residual of ip after ip, written (p/ip, should consist of exactly those 
steps of ip which were not in ip. In the literature, residuals have been studied in 
various degrees of abstraction [2,3,4,6,8,13,14], and for various forms of reduction 
(e.g. reduction in the A-calculus, first-order term rewriting, and concurrency 
theory) . In this paper we study residuals in a subclass of Higher-order Rewriting 
Systems (HRSs), orthogonal Pattern Rewriting Systems (orthogonal PRSs). 

Even in first-order term rewriting, calculating residuals is a non-trivial task. 
Performing a reduction may duplicate the redexes of other reductions, thus po- 
tentially increasing the length of their residuals. In the higher-order case, the 
problems caused by duplication are more severe: now, copies of the same redex 
may get nested. Consider the orthogonal PRS which consists of the following 
two rules: 

p : \z.mu{Xx.z{x)) — >■ Xz.z{mu{Xx.z{x))) 
p: Xx.f{x) ^ Xx.h{x,x) 

Consider the term s = mu(Aa;./(a;)). The rule p, can be applied to the whole 
term (because (Az.mu(Aa:.0(a;)))(Aa;./(x)) =p s) and the rule p can be applied 
to the subterm Xx.f{x), so the following steps exists from s: 

p : mu{Xx.f{x)) f{mu{Xx.f{x))) 

Ip : mu(Aa:./(x)) — > mu{Xx .h{x , x)) 



R. Nieuwenhuis (Ed.): RTA 2003, LNCS 2706, pp. 123-137, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 
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The residual of ip after (p is the reduction 

/(mu(Aa;./(a:))) —1 /i(mu(Aa;./(a;)), mu(Ax./(x)) 

— >•* h{mu{Xx.h{x, x)), mu(Aa;./i(a;, x))) 

in which we see that one copy of the p-redex duplicates another (nested) copy 
of the p-redex. 

In this paper we define a projection operator for proof terms, which are 
witnesses to multistep reductions. The operator projects one proof term over 
another and returns the residual of that proof term after the other. We define 
the projection operator by means of an inference system (postponing the proof 
that it is actually defined on orthogonal PRSs to the last part of the paper), 
prove that a PRS with projection operator is a residual system, and give an 
algorithm which calculates residuals. 

An extended version of this paper was made available as technical report 
nr. 221 at http://preprints.phil.uu.nl/lgps/. 

2 Preliminaries 

2.1 Higher-Order Rewriting 

We use Higher-order Rewriting Systems (HRSs) [7]. In fact, we consider HRSs 
as HORSs [12] with the simply typed A-calculus as substitution calculus. We 
presuppose working knowledge of the A-calculus, but in this section we will 
quickly recall the important notions of HRSs. 

We fix in advance a signature S of simply typed constants (over a set of base 
types BY- Preterms are simply typed A-terms over S. We identify a-equivalent 
preterms. We consider / 377 -equivalence classes of preterms. Since it is well-known 
that /3-reduction combined with restricted //-expansion (/3^-reduction) is both 
confluent (modulo a-equivalence) and strongly normalizing, we can consider /377- 
normal forms as unique representatives of the / 377 -equivalence classes. So, we 
define: terms are preterms in / 377 -normal form. A context C is a term of the form 
Ax. Co, such that x occurs free in Cq exactly once. 

We write stu for {st)u, and we use, for arbitrary (pre)terms s, ti, . . . , C, 
the following notation: s{ti , . . . , t„) = sti . . . t„. Often, s will just be a function 
symbol, but the same notation is used if s is a term of the form Axi . . . x„.Sq. 

A term s is a pattern if all of its free variables x occur in some subterm of s 
of the form x(t/i, . . . , //„), where the yi are distinct bound variables. 

Definition 2.1. A rewrite rule is a tuple I = Xxi . . . x„.Iq Axi...x„.ro = 
r, where I (the left-hand side) and r (the right-hand side) are closed terms of 
the same type, and I is not rj-equivalent to a variable. The rule is left-linear if 
xi, . . . , x„ occur in Iq exactly once. 

A Higher-order Rewrite System (HRS) TL is a set of rewrite rules. TL is left- 
linear, if all its rules are. An HRS is a Pattern Rewrite System (PRS) if, for 
all of its rules Axi . . . x„./q Axi . . . Xn.ro, Iq is a pattern. 

^ All definitions must be read as having the signature as an implicit parameter. 
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Let T~L be an HRS. We define the rewrite relation — as follows [16]: s rewrites 
to t, written s — t (the subscript is omitted if clear from the context), if there 
is a context C and a rule I ^ r £ R, such that s «-/3 C{1) and C(r) t. By 
— we denote the reflexive, transitive closure of -£n- 

The most important reason one might have to use PRSs, is the following 
result of Miller [10]: unification of patterns is decidable, and if two patterns are 
unifiable, a most general unifier can be computed. This entails that the rewriting 
relation induced by a PRS is decidable. 

We mention the following property of higher-order rewriting. It is non-trivial 
due to the implicit /3-reductions in su and tv. Proofs can be found in [7,12]. 

Proposition 2.2. Let s,t,u,v be terms. If s — >■* t and u -£* v then su — >■* tv. 



2.2 Residual Theory 

Residual theory was studied in, among others, [2, 3,4, 6, 8]. In this section, we 
present residuals in an abstract setting, following [13,14], which was, in turn, 
based on [17]. If if and ip are reductions from the same object, in an arbitrary 
form of rewriting, then what can we tell in general of what the residual of ip 
after if must look like? 

The most general form of rewriting system, which, for that reason, we will 
use in this section, is an abstract rewriting system (ARS) . An ARS is a structure 
TZ = {A, R, src, tgt) where A is a set of objects, i? is a set of steps, and src and 
tgt are functions from R to A, specifying the source and target of the steps, 
respectively. Two steps are called coinitial if they start at the same object. 

Definition 2.3. A residual system is specified by a triple (77.,!,/) where: TZ 
is an (abstract) rewriting system; 1 is a function from objects (of TZ) to steps, 
such that src(l(s)) = tgt(l(s)) = s; and /, the projection function, is a function 
from pairs of coinitial steps to steps, with src{ip/'ip) = and tgt{ip/%li) = 

tgt{il)/ip), such that the following identities hold: 

Ilf = 1 

f/l = f 
fif = 1 

(V5/V')/(x/V’) = (7>/x)/(^/x) 

The result of projecting f over ip (i.e. f/ip) is called the residual of f after ip. 
The intuitions behind the first three identities and the requirements to sources 
and targets are immediately clear. Noting that if we want to project f over ip 
and then over y, we actually have to project f over ip and then over y/f/' to 
make sure that the steps are coinitial, the last identity just states that projecting 
f over Ip and then over y yields the same result as projecting f over ip and y in 
reverse order. 

Theorem 2.4. If {TZ, 1, /) is a residual system, then TZ is confluent. 
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Proof. Let {TZ, 1, /) be a residual system, ip a step from a to & and ip a step from 
a to c. Then rp/ip is a, step from b to some d and p/ip a step from c to the same 
object d. 

Residual theory provides an elegant formalization of the notion of equivalence 
of reductions: two reductions are the same if the residual of the one after the other 
is an empty reduction, and vice versa. This formalization is called permutation 
equivalence. We define, for reductions p, fr: 

p < p) ii p/ Ip = 1 
p Ip ii p < Ip and p) p 

It is not difficult to prove that is a quasi-order, and ~ is a congruence. 

One of the side-effects of the main result of the paper, is that the above notion 
of permutation equivalence transfers directly to PRSs. Laneve & Montanari [5] 
give an axiomatic definition of permutation equivalence for the related format 
of orthogonal Combinatory Reduction Systems (CRSs), by translating CRS to 
first-order TRS and then using a first-order rewrite logic. We apply a higher- 
order rewrite logic to PRSs directly. 

3 Higher-Order Rewrite Logic 

In this section we give an alternative definition of the rewrite relation by means of 
a higher-order rewrite logic, i.e. a higher-order equational logic (see e.g. [11,19]) 
without the symmetry rule (cf. [9]). The rules of the higher-order rewrite logic 
are presented in Table 1, together with witnessing proof terms (p : ^ r is a 
rule, and a is an arbitrary function symbol or variable). Note that l{si, . . . , s„) is 
implicitly reduced to /3p-normal form. The rules don’t include a symmetry rule; 
this rule can be easily simulated by the other rules, and is therefore left out. 
Note that the rule and apps rules function as axioms if n = 0. We write s > t if 
there is a proof term p such that p : .s > t. 

Proposition 3.1. s t iff s>t. 



Table 1. Rewrite logic for HRSs with witnessing proof terms 

pi : ^ . . . Pn '. Sn ^ tn 

rule 

p{pi, .. ., Pn) : l{si, ...,s„)> r{ti, . . . ,t„) 

pi : Si ^ . . . Pn '. Sn ^ tn 

apps 

n(y’i,...,y’n) *n(si,...,Sn) ^ a(t\ . . . . .tnf) 

p : s > t 

abs 

\x.p : \x.s > \x.t 

p : s > u p> : u >t 

trans 

{p ■ pi) : s >t 
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Proof. The left-toright case of the proposition is trivial, and the right-to-left 
case is done by structural induction on the inference of s > t. 

In the rest of the paper, the following conventions are used: /, g range over 
function symbols, x, y range over variables, a, b range over function symbols and 
variables, and p, 6 are rule symbols, where I, r are the left- and right hand side 
of p. Suppose if : s > t. The terms s and t will be called the source and target 
of (p, respectively, and we introduce the functions src(p) = s and tgt(p) = t. It 
is easily seen that s : s > s. Thus, we define the unit function 1 as 1(f) = t. We 
will write 1 for each reduction which is the unit of some term; usually the exact 
term can be found by looking at the source or the target. 

Proof terms are convenient, because they are terms, and so we have technical 
machinery to deal with them [1,13,14]. We relate proof terms to the conventional 
rewriting terminology in the following way: a multistep (or just step for short) is 
a proof term which contains no -’s; a proper step is a multistep with only one rule 
symbol in it, and a (multistep) reduction is a proof term of the form pi • . . . • 
(modulo associativity of •), where the pi are multisteps. Note that these notions 
intuitively correspond with the usual non proof term based notions. 

We associate to each HRS % the following ARS H: terms are its objects, the 
proof terms of H are its steps, and the src and tgt functions simply are the ones 
introduced above. The translation of "H into Ti will be done implicitly. 

4 Higher-Order Term Residual Systems 

From now on, we restrict our attention to PRSs. Let a pre-slash-dot term be a 
proof term over an extended signature which includes a polymorphic projection 
operator / : a — >■ a — >■ a (note that every proof term is a slash-dot term as well) . 
Slash-dot terms are pre-slash-dot terms modulo the following equations: 

f{pi = f{Pl,-- -,Pn)- /('01 , ■ • ■ , V'n) 

\x.{p ■ tp) = Xx.p ■ Xx.ip 

l-p=p 
p-l = p 

The first two of the equations are called the functorial identities, and the last 
two are called the unit identities. 

We are interested in defining a projection function which associates to each 
slash-dot term the proof term which represents the desired residual reduction. 
We do this by first defining a simplification relation, and then proving that 
the ‘normal forms’ of this relation are proof terms, and unique for each slash- 
dot term. The projection function is then the function which associates to each 
slash-dot term this normal form. 

4.1 A First Attempt 

Simplification of terms is usually modelled as a rewriting system. In [13,14], 
a rewriting system is presented which reduces (first-order) slash-dot terms to 
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their corresponding proof term. The naive method to transfer the system to the 
higher-order case, is to add the following rule: 

{\x .(p' {x) / \x .Ip' {x)) z —I p' {£) j ip' [z') 

This rule pushes abstractions outwards. The variable 2 is used to correctly handle 
bound variables. However, the rule is not equipped to handle nesting correctly. 
Consider the following two-rule PRS: 

p : Xz.mu{Xx.z{x)) — >■ Xz.z{mu{Xx.z{x))) 
p : Xx.f{x) — 1 Xx.g{x) 

and the following steps: 

mu(Aa;.p(a;)) : mu(Ax./(a;)) > mu(Aa;.(/(a;)) 
p{Xx.f \x)) : mu(Ax./(a;)) > /(mu(Aa;./(a;))) 

Wee see that the proof term mu(Aa;.p(a;))/^(Aa;./(a:)) reduces in a number of 
steps to p{mu{Xx.p{x)/Xx.p{x))), and then in the final step the two copies of 
mu(Aa;./3(a;)), which are not supposed to be further reduced, ‘cancel each other 
out’, resulting in the (incorrect) proof term p(mu(Aa;./(a;))). Changing the fifth 
rule into 

{Xx.p' {x)/Xx.\p' {x))z —1 p' {^-z) / Ip' {^-z) 

where T is a new symbol which makes sure that applications of the other rules 
are blocked, and adding rules to make sure that ^-p/^-p — 1 * p, seems, at first 
sight, to solve the problem, but I have chosen another approach which I find 
more elegant. 

4.2 Residuals of Compatible Reductions 

We define the ‘simplification’ relation between slash-dot terms and proof terms 
by means of the inference system Res given in Table 2 on page 129. We write 
^ X to denote that the inference /C has p )p x ^ its final conclusion. The 
function |/C| returns the ‘depth’ of an inference, i.e. if |/C| is an inference with 
immediate subinferences £i,...,£„, then |/C| = maxo<i<„|£i| -I- 1. We write 
^ X if an inference 1C exists such that \-^ p \ ^^d |/C| < fc. If A: is 
omitted, 1C may be of arbitrary size, and in this case the h will often be omitted 
as well. The principal rule of an inference /C is the last rule which is applied, 
i.e. the rule which appears at the bottom of the inference. We will assume the 
function pr(/C) which returns the principal rule of an inference 1C. 

Example 4-1- Consider the PRS from Sect. 4.1. The current framework yields 
the correct result: 

x/x X 

Ri 

p{x)/f{x) ^ p{x) 

^5 

Xx.p(x)/Xx.f{x) Xx.pix) 


mu{Xx.p{x)) / p{Xx.f{x)) ^ p(mu(Aa;./9(a;))) 
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Table 2. The inference rules for Res. 



Residual rules: 





Pi/ifi > Xi ■ 


' ' 9 ^n/' 0 n ^ 




a{pi,. 


..,pT)/a{ifi,.. 
Pi/ifi > Xi ■ 


■ • ,' 0 n) ^ a{xi, • 

' ' 9 ^n/' 0 n ^ 


• ■ 7 Xn) 


p{pi,- 


■■,Pn)/p(ifi,.. 

Pit'll > Xi ■ 


r{xi,- 


• • 7 Xn) 


P{pi,- 


■■,Pn)/l{lfl,.. 

pilipi > XI ■ 


P(X 1 .-' 

' ' ^ X^ 


■ • 7 Xn) 



Ri 



R2 



Rs 



> r(xi,...,Xn) 

‘P/i’ > X 

Rb 



R4 



Xx.(p/Xx.tjj Xx-x 



Lpilljj ^ if'i ^ i>' </92/V'' > P>2 ‘P/'l/’l > P P N’2 > X 



■L 



{pi ■ P2)/lp > p'l ■ P2 p! {' fpl -i)2)>X 

p> p p O’’ > X 



■R 



pli> > X 



Replacement rules: 

pi ijjl ■ ■ ■ Pn Ipn 



a{pi,...,pn) a{ipi,...,i>n) 

Pi l!)l ■ ■ ■ Pn > Ipn 



repi. 



r-ft/ 



P>ip 



repl^ 



p{pi,...,p„) p{lpl,. . . ,lpn) 



repl„ 



Xx.p Xx.ip 
pi Ipl P2> lp2 
Pi ■ P2 > llH ■ lp2 



repl- 



A slash-dot term p is called internally compatible if there is a x such that 
p X- The source and target of an internally compatible slash-dot term p 
with p X are defined as src((p) = src(x) and tgt((^) = tgt(x)- Two slash-dot 
terms p and ip are compatible if p/ip is internally compatible. A PRS % is called 
compatible if all possible pairs of proof terms p,ip oiT-L are compatible. 

The following lemma expresses, in a sense, that proof terms are the ‘final 
objects’ of the relation ^ defined by the inference system. 

Lemma 4.2. Let p be a proof term. Then: p if if and only ifp = if. 

Proof. (=i>) by induction on 1C, and (<^=) by induction on the length of p. 

Next, we prove a few standardization properties of the proposed inference 
system, which will come in handy in the later proofs. Given a desired outcome. 
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Lemma 4.3 and Lemma 4.4 are used to select the principal rule of a valid inference 
with the desired conclusion (if it exists). 

Lemma 4.3. Suppose pj'^'rp x- 

1. If ip = a{pi , . . . , (fn) (md = a{(pi , . . . , Pn), then there is an inference JC' 
with |/C'| < |/C| such that pfip ^ x o.nd pr(/C') = Ri. 

2. If p = p{pi , . . . , Pn) and = p{pi , . . . , Pn), then there is an inference 1C 
with |/C'| < |/C| such that p/tp ^ x and pr(/C') = i? 2 - 

3. If p = p{pi , . . . , Pn) and ip = l{pi, ■ ■ ■ , Pn), then there is an inference JC 
with \JC\ < |/C| such that p/ip ^ x and pr(/C') = R^. 

4- If p = l{pi , . . . , Pn) and Ip = p{pi , . . . , Pn), then there is an inference JC 
with \JC\ < \JC\ such that p/ip ^ x and pr(/C') = R 4 . 

5. If p = Xx.po and ip = Xx.ipo, then there is an inference JC with \JC\ < \JC\ 
such that pfipip X and pr(/C') = R^. 

Proof. By induction on \JC\. 



Lemma 4.4. Suppose pfipip x- 

1. If p = Pi ■ p 2 , then there is an inference JC with \JC\ < \JC\ such that 

p/ip ^ X and pr(/C) = -L. 

2. If Ip = ipi ■ ip 2 , then there is an inference JC with \JC\ < \JC\ such that 

p/ip X and pr(/C) = -R. 

Proof. By induction on \JC\. 



Lemma 4.5. If pip x and p )p x^ then x = x' ■ 

Proof. By induction on the sum of the sizes of the inferences. 

We define the relation « to be the reflexive, symmetric and transitive closure 
of )p. By Lemma 4.5 and the fact that if p ip x then x is a proof term (easily 
proved by induction), we can take proof terms as the unique representatives of 
the classes of Ri-equivalent slash-dot terms. We can now define the projection 
operator // as follows: // i/' = X if X is the unique representative of the slash- 

dot term p/ip. Theorem 4.6 is proved in Sect. 4.3. 

Theorem 4.6. ("H,!,//) is a residual system, if PL is a compatible PRS. 



Corollary 4.7. A compatible PRS is confluent. 



Proof. By Theorems 4.6 and 2.4. 




Residuals in Higher-Order Rewriting 131 

4.3 Proof of Theorem 4.6 

In this subsection we prove Theorem 4.6, i.e. we show that a compatible PRS 
together with unit and projection operator is a residual system. We mention the 
following two auxiliary lemmas, of which the proof is easy: 

Lemma 4.8. 

xlW ■ '4’) « {xlv>)!4’ 

Lemma 4.9. k, is a congruence. 

To prove that we are dealing with a residual system, we have to show that 
sources and targets match (Prop. 4.10), and that the residual axioms hold 
(Prop. 4.11). 

Proposition 4.10. Sources and targets match, i.e.: 

1 . src((/?/^) = tgt(V') 

2. tgt((/?/V>) = tgt^V'/v?) 

Proof. By induction on the inferences oi ip f ip )p x ipfipip frne. easily prove 
that src(x) = tgt(V^) and tgt(y) = tgt(C). 

Proposition 4.11. The residual axioms hold, i.e.: 

1 . 1/^«1 

2. ipj\ ~ if 

3. ip/ip « 1 

I {tI'4>)I{xH>) ~ (v3/x)/(V'/x) 

Proof. (l)-(3) are proved by induction on the length of p. In addition, (2) is 
based on (1), and (3) on (1) and (2). 

In order to prove (4) we introduce the layered size \p\ of a slash-dot term p\ 

\f{pi, . . .,Pn)\ = 1 + maxo<i<„ \pi\ 

\x{pi, . . .,Pn)\ = 1 + maxo<i<„ \pi\ 

\p{pi, . . .,Pn)\ = 1 + maxo<i<„ \pi\ 

\Xx.p\ = \p\ 

\p-ip\ = \p\ + l + \ip\ 

\p/iP\ = \p\ 

Now (4) is verified by induction on the sum of the layered sizes of p, ip and y. 

The proof follows the same pattern as the one in [13]. Suppose that either 
(p, V' or X is a composite. If (p is a composite, we have the following, where 
the various (underlined) steps follow from Lemma 4.9 and either the induction 
hypothesis or Lemma 4.8: 
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((v?i • V’ 2 )lf) l{xli’) 

~ ((t/gi/'0) • (v?2/(V>/v?i)))/(x/V^) 

« (yi/V’)/(x/V’) • ((y’2/Wy’i))/ ((x/V’)/(y^i/V’)) ) 

«iH (</5i/x)/(V’/x) • ((‘/g2/(V’M))/((x/‘/gi)/(V’M))) 

«iH (yi/x)/Wx) • ((y’ 2 /(x/y’i))/(Wy’i)/(x/y’i))) 

« ((y’l/x) • (y 2 /(xM))) /Wx) 

« ((‘Pi • </52 )/x)/(V’/x) 

If ^/> is a composite, we do: 

(V?/(V^l • V’ 2 )) / (x/(V’l • V^ 2 )) 

« ((‘PM)/'02)/ ((xM)/'02) 

«iH ((y’M)/(xM)) / (V^2/(x/'0i)) 

«iH ((‘p/x)/(V^i/x))/(V’ 2 / (xM)) 

« (y/x)/ (V’i/x- V^ 2 /(xM)) 

« (‘/5/x)/((V'i • V’2 )/x) 

The case that x is a composite, is the inverse of this. 

Now consider the case that none of are composites. Suppose that 

(p = Ip = /(V’)i and X = fix): where we use the notation x for the vector 

xi, . . . , Xn- By Lemma 4.3, the following inference must exist: 



^i/ ^ Cl,i Xi! ^ C2,i Cl,i/ C2,'i ^ 

fi^)/fi^) ^ /(Cl) 7ix)/m) ^ /(C 2 ) /(Ci)//(C2) ^ /(gi) 

(/(¥>)//(^))/(/(x)//(^)) ^ /(li) 

and similarly we obtain an inference of (/(v>)//(x))/(/('0)//(x)) ^ /(^ 2 )- Us- 
ing the same subinferences for (pi/ipi ^ Ci.i. Xi/V’i ^ C 2 ,i and Ci,i/C 2 .i ^ Ci.i. we 
easily obtain (:piM)/(x*/V’i) ^ Ci.i. and similarly we show (ipi/xi) /if’i/Xi) > 
^ 2 S- Since, by induction hypothesis, iVili’i)liXtl'^i) ~ iVilXi)lii’tlXi): we 
know now that « ^ 2,0 so there are ^ 3 ^ such that ^ ^ 2 y- Two 

easy inferences prove /(^i) ^ fi^s) and /(^ 2 ) ^ /(^s)- We put everything 
together with transitivity and get: 

(/(<P)//(^))/(/(x)//(^)) « /(Is) « (/(¥’)//(x))/(/(t/)//(x)) 

The same strategy works in the other non-composite cases, e.g. if = p{<p), ip = 
p{ip), and X = T'ix): since the difficult nesting problems (duplicating behaviour 
within right-hand sides of rules) occur only on the right of the ^ symbols. 

Now, Theorem 4.6 follows from Prop. 4.10 and Prop. 4.11. QED. 



4.4 Computing Residuals 

In Sect. 4.2 only a specification of the simplification relation was given, but 
Lemma 4.3 and Lemma 4.4 already hinted at the existence of an algorithm which 
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effectively computes the representative of a slash-dot term. In this section, such 
an algorithm is indeed given. We also prove that it terminates for two special 
cases of slash-dot term, and show that if the algorithm terminates, it prints the 
correct answer. 

Definition 4.12. The (recursive) function sim(7r) on proof terms tt, is defined 
by the following pseudo-program: 

sim(((/?i/(^2)/V')) = sim((/? 7 ' 0 ) 

where ip' = sim((pi/(^ 2 ) 
sim((/?/(7i/72)) = sim{(p/tp') 

where ip' = sim( 7 i/V' 2 ) 



sim(a;((^i, . 


■,Tn)lx{lpi, . 


■ ■,fpn)) = x{sim{ipi/ipi), . 


. ,sim(<p„/0„)) 


sim(/((/?i,. 


■■,Tn)/f(pPl,- 


■■,'4’n)) = f{s\Ta{ipi/ipi),. 


. . ,sim(v3„/7„)) 


sim(p(v3i, . 


.,iprP)/p{lpl,. 


• ,7n)) = r(sim((^i/-0i), . . 


. ,sim((/?„/-0„)) 


sim(p(v3i, . 


.,ifn)/l{lpl,.. 


■,'4’n)) = p(sim((/?i/-0i),.. 


. ,S\U\{ipn/lpn)) 


sim(l(:pi, ■ • 


■,Tn)/p{lpl,-- 


■,'4’n)) = r(sim(v3i/0i),.. 


. ,sm\{ipn/lpn)) 



s\\n{\x .if / \x .fi) = Xxfip/f’) 
sim(((/?i ■ 1 P 2 ) / Ip)) = ip'i ■ f '2 

where 7i = sim((pi/7) 

(p '2 = sim{(f2/ip') 
where ip' = s\u\{ip / ipi) 
sim((/?/(7i • - 02 )) = s\m{ip' / 1 P 2 ) 
where ip' = sim((p/-0i) 
sim(/((/?i,..., (/?„)) = /(sim((^i),...,sim((p„)) 
sim(p(v3i, . . . , ipn)) = p(sim((pi), . . . , sim((/?„)) 
sim(Aa;.v3) = Aa;.sim((p) 
if none of the above cases apply then 
print “incompatible” 

Proposition 4.13. 

1. If ip and Ip are reductions, then sim((^/-0) terminates. 

2. If ip is internally compatible, then sim((^) terminates. 

Proof. We prove the first item first. If ip and ip are reductions, then the compu- 
tation of sim{ip/ip) proceeds in two stages: first the compositions on the outside 
of the terms are dealt with, and in this stage the number of composition symbols 
in the proof term strictly decreases in each step; and then, when ip and ip are 
parallel steps, the length of the proof term strictly decreases in each step. 

Secondly, if ip is internally compatible, then an inference K. exists such that 
ip/ X- The second item can be proved by induction on /C, using Lemma 4.3 
and Lemma 4.4. 

Termination in general is hard to show. If a proof term ip is not internally 
compatible, an inference of ^ X is not at our disposal, so we cannot use induc- 
tion on the inference. The problem is then the cases which deal with composition. 
In these cases the size of the terms which are passed recursively to the function, 
may actually be larger than the size of the term under consideration. 
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Conjecture j-lj. sim((p) terminates for aZZ slash-dot terms ip. 

The main result of the paper does not depend on this conjecture, although, 
because of its not being proved, a small detour has to be followed in Sect. 5.1. 

Proposition 4.15. sim((/?) = x if and only ifp)px- 

Proof. The ‘only if’ side is proved by recursively building an inference of (p ^ y. 
The ‘if’ side is easily proved by using Lemma 4.3 and Lemma 4.4. 



5 Orthogonality 

In this section we relate compatibility with the well-known notion of orthogonal- 
ity. In order to define orthogonality, we need to define overlap, and this is done 
by associating with each proper step a set of redex positions, and then looking 
at the intersection of the redex positions of two coinitial proper steps. 

Positions are sequences of natural numbers. If P is a set of positions, and p 
is a position, we write p-k P for {pq \ q G P}. First, we need to define the set of 
all positions of a term. Let □ denote the empty context. 

Pos(D) = 0 

Vos{x{si,...,Sn)) = {e} U 
Pos(/(si,...,s„)) = {e}UUo<i<„**^os(s*) 

Vos{\x.s) = {e} U 1 kVos{s) 

where a: is a variable and / a function symbol. 

Now, let (/? be a proper step. We define the set of redex positions of p, written 
TZVos{p), as: 



TZ'Pos{x{pi,...,Pn)) = 

TZ'Pos{f{pi,...,Pn)) = 

TZVos{Xx.po) = lkTZVos{po) 
nVos{p{pi , (/?„)) = Pos(/(D, ...,□)) 

Note that, since (p is a proper step, in the last equation there are no more rule 
symbols in the pi. 

Two coinitial proper steps p and if are said to be overlapping if TZVos{p) fl 
TZPos{if) yf 0. A left-linear PRS is orthogonal, if all pairs of different, coinitial 
proper steps are non-overlapping. 

This definition has an infinite flavour: there are infinitely many steps one has 
to check. Fortunately, it is well-known that an equivalent notion of orthogonality 
exists, based on critical pairs [7]. Since a finite PRS has only finitely many 
possible critical pairs, this makes the question whether a PRS is orthogonal or 
not decidable. We stick to the step-based definition for convenience. 
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5.1 Compatibility Is Orthogonality 

In this subsection we will prove that compatibility and orthogonality coincide. 
The difficult part of the proof, but also the most important one, is to show that 
orthogonality implies compatibility. One way of doing so is by contraposition: 
we run the algorithm of Def. 4.12 and analyse in which situations it prints 
incompatible, and show that the PRS is not orthogonal in each of these cases. 
There is one problem: we have not succeeded in proving that the algorithm 
actually always terminates, so we have to follow a small detour: we transform 
the incompatible proof terms into incompatible reductions, and then feed those 
to the algorithm. 

Lemma 5.1. If . . . , ipn) ■ p(V’i) • ■ • > V’n) is compatible with x, then p{^\ ■ 
Tpi, . . . , (fin ■ ipn) is compatible with y. 

Proof. By constructing an inference. 

Theorem 5.2. LefH be an PRS. H is orthogonal, if and only ifH is compatible. 

Proof. We first prove the right-to-left implication. Assume that all coinitial re- 
ductions are compatible. This implies that all coinitial multisteps tp, if are com- 
patible, i.e. an inference 1C exists such that p/if ^ y. We easily prove, by 
induction on /C, that p, ip are non-overlapping. 

To show the left-to-right implication, assume, by contraposition, that ip,ip 
are coinitial, but not compatible. Consider the (meta-level) rewrite system which 
consists of all rules of the form 

p{pi • V'l, • ■ • , • ■0n) ^ P(V’l, ■ ■ ■ ,'4’2) 

where p : ^ r is a rule. It is not difficult to see that this rewrite system 
is strongly normalizing, and that its normal forms are actually reductions. So, 
applying this rewriting system to p and if yields reductions p',if', respectively. 
By Prop. 4.13, s\Ta{p' /if') terminates, and by (the contraposition of) Lemma 5.1, 
p' and if' are not compatible. 

Let po/ifo be the slash-dot term which was passed to sim in the last step 
before it terminated; po smd ifo must be multisteps. By Prop. 4.15 the algorithm 
prints incompatible. By coinitiality of po and ifo, it cannot cannot be the case 
that po = f{pi, ...,Pn) and f/'o = , ifn), where f ^ g. So, the following 

must apply: po = p{pi, . . . , Pn) and ifo l(ifi, ■ • ■ , ifn)- There are two possible 

causes of this. The first is that ifo has a rule symbol within the redex pattern of 
1. But then overlapping, coinitial proper steps p'^ and if'^ can be constructed by 
replacing all rule symbols, except the overlapping ones, of po and ifo, respectively, 
by their left-hand sides. The second possible cause is that one of the ifi occurs 
twice in l{ifi, . . . ,ifn)- However, then I cannot be left-linear. Both cases imply 
non-orthogonality. (The third ‘cause’ is that ifo has a • inside the redex pattern 
of Po, but this cannot happen because compositions are moved outwards over 
function symbols and abstractions by the functorial identities, and I consists 
only of function symbols and abstractions.) The same argument can be applied 
to the symmetrical case. 
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5.2 Residuals of Orthogonal PRSs 

In this subsection we prove the main result of the paper, namely that an or- 
thogonal PRS, together with the unit and projection operator, forms a residual 
system. The hard work has already been done; we just need to put together the 
results obtained so far. 

Theorem 5.3. If H is an orthogonal PRS, then {%,!, //) is a residual system. 

Proof. By Theorem 5.2, H is compatible, and thus, by Theorem 4.6, {H, 1, //) 
is a residual system. 

It is well-known that orthogonal PRSs are confluent, as was proved in, among 
others, [7,12,15]. Here, we obtain a new proof based on the residual theory devel- 
oped in this paper. The proof emerges as a simple corollary of the main result. 

Corollary 5.4. Orthogonal PRSs are confluent. 

Proof. Let H be an orthogonal PRS. By Theorem 5.3, H is a residual system, 
and thus by Theorem 2.4, H is confluent. 

6 Concluding Remarks 

In this paper, we have shown that orthogonal PRSs form a residual system. As a 
consequence, all results for residual systems are inherited, such as the notion of 
permutation equivalence and confluence. We have also given an algorithm which 
simplifies slash-dot terms to proof terms, and we have proven, in two special 
cases, that the algorithm terminates. 

For the future, the following research is interesting. Firstly, it is interesting 
to And a proof (or a refutation) of the claim that the algorithm mentioned in 
the previous paragraph does always terminate. Not only is this interesting in its 
own right, it is my view that such a proof may aid us in the understanding of 
termination of higher-order rewriting, and provide new proof methods. 

Secondly, it is interesting to see if the framework can be generalized to non- 
orthogonal, left-linear PRSs, or even arbitrary PRSs. For this to work, an error 
symbol must be added, to indicate non-compatibility. For the first-order case, 
the same approach was succesfully applied to left-linear TRSs in [13]. 
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Abstract. In this paper we describe the implementation of the UNITY 
formalism as an extension of general-purpose languages and show its 
translation to C abstract syntax using PHOBOS, our generic front-end 
in the Mojave compiler. PHOBOS uses term rewriting to dehne the syn- 
tax and semantics of programming languages, and automates their trans- 
lation to an internal compiler representation. Furthermore, it provides 
access to formal reasoning capabilities using the integrated MetaPRL 
theorem prover, through which advanced optimizations and transforma- 
tions can be implemented or formal proofs derived. 



1 Introduction 

UNITY [3] is a powerful formalism for the specification of nondeterministic con- 
current programs. The UNITY language and execution model are simple, yet 
there has been little effort directed toward the compilation of UNITY programs 
to executable code. In this paper we present a method that uses Phobos [7], 
the generic front-end of the Mojave [12] compiler, to translate UNITY programs 
into C abstract syntax suitable for code generation. Our method has concrete ad- 
vantages over previously known techniques for generating executable code from 
UNITY programs: the implementation is quickly adaptable to different target 
languages, we can easily change the scheduling algorithm used in the generated 
code, and we can leverage the attached theorem prover to carry out transforma- 
tions and proof derivations. 

In our implementation we eliminate nondeterminism from UNITY programs 
by using a simple sequential scheduling of statements, which may consist of 
simple, conditional or quantified assignments as defined in the formalism. This 
particular scheduling is not an inherent property of the translation method, and 
can be easily modified as we describe later. The entire implementation is small, 
and can be tailored to different target languages with minimal effort. We do not 
address formal properties in this paper, but the implementation is designed to 
lay the groundwork for formal analysis in the MetaPRL system. 

1 . 1 Related Work 

Few compilers have been developed for the UNITY language. DeRoure’s parallel 
implementation of UNITY [5] compiles UNITY to a common backend language. 
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BSP-occam; Huber’s MasPar UNITY [11] compiles UNITY to MPL for execution 
on MasPar SIMD computers; and Radha and Muthukrishnan have developed 
a portable implementation of UNITY for Von Neumann machines [17]. These 
UNITY compilers are not as easily adaptable to multiple target languages or 
multiple scheduling algorithms as the rewriting-based translator we describe, and 
none of them have the formal reasoning capabilities provided by an integrated 
theorem prover. 

The construction of formal proofs for UNITY programs has been mechanized 
using various theorem proving environments. Anderson’s HOL-UNITY [2] is an 
implementation of UNITY using the HOL system [6], Heyd and Cregut’s Coq- 
UNITY [8] uses Coq, and Paulson has implemented UNITY within the Isabelle 
environment [15,16]. While these implementations provide assistance in proof 
generation for UNITY programs, they do not generate executable code. 

2 The UNITY Formalism 

The UNITY formalism consists of both a programming language (with accom- 
panying execution model) and a proof logic. In this paper we are primarily 
concerned with the language and its execution model. For a discussion of the 
proof logic the reader is referred to Chandy [3] . 

2.1 Language 

In the UNITY programming language, a program begins with a program dec- 
laration that specifies the program’s name. This is followed by several program 
sections: 

1. A declare section, which names the program variables and declares their 
types. 

2. An optional always section, which defines program variables as functions 
of other variables. Variables defined in this section are essentially textual 
macros representing these functions, rather than actual state variables of 
the program. 

3. An initially section, which specifies initial values for the variables from the 
declare section. Uninitialized variables have arbitrary initial values. 

4. An assign section, the program’s body, which consists of a set of assign- 
ment statements. These statements may be single or multiple assignments, 
and may be conditional through the use of an if construct. They may also 
be quantified over predetermined ranges using the [ operator, which rep- 
resents nondeterministic choice. In a multiple assignment statement, all the 
expressions on the right side and any subscripts on the left side are evaluated 
first, then the values of the expressions on the right side are assigned to the 
corresponding variables on the left side. 

An example UNITY program that sorts an array of N elements is shown 
in Figure 1. The initialization sets the values for the elements of the array in 
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program array-sort 
declare 

a: array [N] of integer 

initially 

(II i : 0 < i < N :: a[i] = N - i) 

assign 

(1 i : 0 < i < N — 1 :: a[i], a[i J- 1] := a[i -|- 1], a[i] if a[i] > a[i -I- 1|) 



end 



Fig. 1. A UNITY program that sorts an array of N integers 



parallel, and the quantified assignment is a nondeterministic choice among — 1 
multiple assignment statements. In our implementation we do not deal with 
parallelism, but instead replace it with nondeterminism. 



2.2 Execution Model 

Execution of a UNITY program proceeds in the following way. First, the ini- 
tialization statements are executed, simultaneously, to set the state variables 
to their initial values. Then, statements are repeatedly selected and executed 
atomically. Statement selection is subject to a weak fairness constraint, which 
requires that every statement is selected infinitely often in every infinite exe- 
cution of the program. There are no other constraints on statement selection, 
so some statements may be executed far more often than others in any finite 
execution prefix. 

It is possible for a UNITY program to reach a fixed point, where there is no 
statement whose execution would change the value of any state variable. When 
this occurs, we say that the program has terminated. 

3 System Architecture 

The Mojave compiler supports various front-end languages which are trans- 
lated to a common functional intermediate representation. The typical code 
path through these source languages is shown in Figure 2 as (I). In addition, 
the integrated MetaPRL theorem prover can be used to perform transforma- 
tion and formal reasoning of the programs under compilation. Phobos acts as a 
bridge between source languages and the formal system by providing generic 
parsing and transformation capabilities using the term rewriting mechanism 
of MetaPRL. Programming language syntax can be specified with context-free 
grammars where rewrite rules are used to describe parser actions, and the pro- 
gram is represented as a term in the formal system. Program transformations 
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Machine code MetaPRL 



Fig. 2. The Mojave compiler architecture 



and domain-specific knowledge can be specified using formal (which avoid cap- 
ture and are guaranteed not to change binding) and informal (which are used 
for parsing and can create binding) rewrite rules that are passed to MetaPRL for 
execution. The final term is then converted to a specified compiler representa- 
tion (in Figure 2 this is the functional IR) and compilation proceeds to generate 
executable code. 

3.1 Term Language 

The term rewriting engine we use belongs to the MetaPRL logical framework [10,14]. 
All logical terms, including goals and subgoals, are expressed in the language of 
terms. The general syntax of all terms has three parts. Each term has 1) an 
operator-name, which is a unique name identifying the term; 2) a list of parame- 
ters representing constant values; and 3) a list of subterms with possible variable 
binding occurrences. We use the following syntax to describe terms, based on 
the NuPRL definition [1]: 

opwame - ;Pn]{vi-ti; 

operator name parameters subterms 



Here are a few examples: 



Shorthand 


Term 


1 

Xx.b 

/(a) 

V 

x-\-y 


natural_number ["1"] {} 
lambda []{x. b} 
apply []{f; a} 
variable ["v"] {} 
sum[]{x; y} 



Variables are terms with a string parameter giving their names; numbers 
have an integer parameter with their value. The lambda term contains a binding 
occurrence: the variable x is bound in the subterm b. 
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The rewriting engine used in MetaPRL is described in Hickey [9] . Rewriting 
rules are specified as a pair of terms t\ < — > ^2 using second-order substitu- 
tion. The term t\, called the redex, contains second-order variables of the form 
v[vi;--- ;v„]; and the term t 2 , called the contractum, contains corresponding 
second-order substitutions of the form specifying the simultaneous 

substitution v[t'i, . . . . . ,Vn\ - The following table lists a few examples: 



Rewrite 

Shorthand 

Example 


apply{lambda{v.6[u]}; e}} < — >■ b[e] 
(Av.6[t]) e ^ ^ b[e] 

{Xx.x -I- a;) 1 — >■ 1-1-1 


Rewrite 

Shorthand 

Example 


match{pair{M; u}; x, y.b[x, y]} < — >■ b[u, v] 

(match('u, v) with x,y ^ b[x, j/]) < — >■ b[u, w] 
(match(l, 2) with x,y ^ x + y) — >■ (1 -I- 2) 



4 Implementation 

We now describe the conversion of terms representing UNITY abstract syntax to 
C abstract syntax using source notation. The underlying actual term representa- 
tion can be recovered in a straightforward manner. We also use the meta-syntax 
(::) to denote element insertion into a list, as used in OCaml. Occasionally, we 
show actual terms, in which case their names are underlined to distinguish them 
from abstract ones. 



op : 


:= + |-|*|/|and|...l = l7^|<|<|>|> 


binary operators 


r : 


:= e op V op e 


range 




1 e op V op e&i e 


range with condition 


e : 


:= i \ f \ true | false 


numbers and Booleans 




1 V 


variables 




1 e op e 


binary operation 




1 e[e] 


subscripting 




1 e(e, ...,e) 


function application 


assign : 


:= e, . . . , e = e, . . . , e 


Simple assignment 




1 e, . . . , e = e, . . . , e if e 


Conditional assignment 




1 (|w, . . . , u : r, . . . , r :: assign) 


Quantified assignment 



Fig. 3. UNITY assignment grammar 



4.1 The C Term Set 

The C term set is a straightforward implementation of the Mojave C abstract 
syntax type. Each OCaml constructor name is defined as a term; for instance 
C_declare of var * ty is represented as C-declare \var\ ty}, or C_if of cond 
* true * false is represented as C-if{cond] true; false}. When we can, we use 
C source syntax to denote these terms, for instance if {cond) true else false. 
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4.2 Design 

The syntax we adopt for assignment statements in our implementation is defined 
in Figure 3 . We achieve the independence of individual assignments in the same 
statement by keeping two sets of state variables. For each variable declared in the 
program we introduce an “alias,” which stores the value of the aliased variable 
before entering a new statement. We use the alias for reading and the regular 
variable for writing, preserving the semantics of multiple assignment statements. 
The value of an alias may be different only when executing the statement that 
contains its aliased variable; upon exiting the statement, the two variables are 
synchronized. Throughout our discussion, we define the alias of variable v as 
ALIAS [u], and that of UNITY expressions as shown below. 

ALIAS I / I true | false] — >■ i | / | true | false ALIAS [■(;] — >■ v -alias 

ALIAS [ei op ez] ^ ALIAS [d] op ALIAS [ez] 

ALIAS[ei[e2j] ALIAS [ei] [ALIAS [eaj] 

ALIAS[e/(ei, . . . ,e„)j ^ LV[e/](ALIAS[ei], . . . , ALIAS[e„j) 

The lvalue expression LV[. . .] has all but the outmost variable replaced with 
aliases, since we want to use regular variables for writing but aliases for reading. 
For instance, LV[a[i]j — >■ a[i_alias]. 

LV[t I / I true | false] i \ J \ true j false LV[r!] — >■ v 

LV[ei op 62] — >■ LV[ei] op LV[e2] 

LV[d[e2]] ^LV[ei][ALIAS[e2]] 

LV[e/(ei, . . . , e„)] ^ LV[e/](ALIAS[ei], . . . , ALIAS[e„]) 

We track any change in the global state by monitoring each assignment 
through SYNCHRONIZE. We update the alias for variable v with v itself 
if the two are different, in which case we set the global CHANGED variable 
to true. This allows us to identify changes to the state variables. 

SYNCHRONIZE [u :: vars] — >■ if (LV[u] yf ALIAS [u]) { 

CHANGED == true; 

ALIAS [u] = LV[u]; 

} :: SYNCHRO NIZE[ vars] 

The following illustrates how a simple statement with two conditional assign- 
ments is translated. 



if (ALIAS[a;] > ALIAS[y]) { 
LV[a;] = ALIAS [y]; 

LVM = ALIASb; 

x,y ; y,x if x>y SYNCHRONIZE [x]; 

SYNCHRONIZE [y]; 

} 




144 Adam Granicz, Daniel M. Zimmerman, and Jason Hickey 



4.3 Translation 



After parsing, the original UNITY program is represented as a program term 
(which we have pretty-printed in the rule below) whose subterms correspond to 
the declarations, identities, initializations and assignments in the program. The 
main step required to translate this term into C abstract syntax terms can be 
expressed as: 



program id 

declare v : ty, . . . 
always v = e, . . . 
initially inits 
assign assigns 

end 



int main {. . .) { 

int CHANGED; 



Ci[u : ty,...] 

C2 [inits] 

while (! CHANGED) { 

CHANGED = false; 

SUBST[u = e, . . . ; Cslassigns]] } 



where Ci, C2, C3 denote the translation process for declarations, initializa- 
tions and assignments, respectively, as defined below: 



Ci[(u : ty) :: rest] — 1 C-declare \var\ tv\ :: Ci [rest] 

Cl [nil] —I nil 

C2[mft :: rest] —1 ASSIGN[fmt] :: C2[rest] 

C 2 [nil] — >■ nil 

C^[assign :: rest] ASSIGN[assi(7n] :: C3[rest] 

C 3 [nil] — > nil 

Note that we use the same translation for initializations and assignments to 
simplify our discussion. In the actual implementation, we have omitted the code 
that tracks state changes from the initializations. 



Identities. Given a list of variables and their identity expressions as defined in 
the always section of the source program, we simply substitute each expression 
in place of the variable. 

SUBST [(u = exp) :: rest;prog[v]] — >■ SVBSTlrest; prog[exp]] 

SUB ST [nil; pr 05] prog 

Assignments. The heart of our implementation is the translation of assignment 
statements. Simple, conditional and quantified assignments are translated by Ai, 
A2, A3, respectively. 

ASSIGN[ZualMes = values] — >■ Ai[lvalues = values; lvalues] 
ASSIGN[?wa?Mes = values it cond] A2[lvalues = values it cond; lvalues] 
ASSIGN[([cuars : quants :: assign)] — >■ A^lcvars; quants; assign] 
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Simple assignments are translated directly, followed by the synchronization 
of all left-hand side expressions: 

Ai[(t! = exp) :: rest; lvalues] — >■ 

(LV[w] = ALIAS [exp]) :: Ai[rest; lvalues] 

Ai[nil; lvalues] SYNCHRONIZE [^wa/ues] 

Conditional assignments are wrapped in an if statement: 

A2 [assigns if cond; lvalues] — if (ALIAS [cone?]) { 

Ai [assigns; lvalues] 

} 

Quantified assignments involve the use of control variables over which we 
quantify expressions. We translate these by first declaring the control variables, 
then recursively turning each quantifier (which is of the form ci opi v op2 62) 
into a for-loop. To compute the initial values and upper bound for the for-loop, 
we use RANGEi and RANGE2, respectively, which are defined as: 

RANGEi[?u; e;<] ^ Iv = e + 1 
RANGE]^[?u; e; Iv = e 

RANGE2[?u; e;<] ^ Iv < e 
RANGE2[?u; e; <] — >■ ?w < e 

A3 [ewars; guants; assigns] — > Ci [cuars]@ Aa^i [gnants; assigns] 

A3,i[(ei opi V op 2 62, none) :: quants; assigns] 
for ( RANGEi [ALIAS [v] ; ALIAS [ei];opi]; 

RANGE2 [ALIAS [v]; ALIAS [62]; 0P2]; 
ALIASH-b+){ 

A3 1 [guants; assigns] 

} 



A3 1 [nil; assigns] — >■ ASSIGN [assigns] 

If the quantifier includes extra conditions (such as in < I i: 0<=i<10 & 
odd(i) : : a[i] = i >), we wrap the final assignment clause in a conditional 
statement: 

A3p[(ei opi V op 2 62, cond) :: quants; assigns] — >■ 

for ( RANGEi [ALIAS [v] ; ALIAS [61]; opi]; 

RANGE2 [ALIAS [v]; ALIAS [62]; 0P2]; 
ALIASH++){ 
if (cone?) { 

A3 1 [guants; assigns] 

} 

} 

When the translation terminates, Phobos attempts to convert the final term 
to C abstract syntax, and the resulting OCaml structure is passed to Mojave for 
optimization and code generation. 
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4.4 Further Considerations 

Our use of the CHANGED variable to track changes in the program state is 
based on the assumption that executing all assignment statements must result 
in a state change unless the program has reached a fixed point. Although this 
only holds in the absence of randomness, we see the expected benefits in most 
programs. For instance, the sorting program shown in Figure 1 terminates after 
one iteration if the input array is initially sorted, while it takes N iterations for 
arrays sorted in reverse order. 

Although we have described a concrete implementation for assignment trans- 
lation, we can easily modify our approach to be more abstract. By overriding 
Ai, A 2 , and A 3 we may implement an alternative way of handling assignments. 
A simple modification would be to encode each assignment statement as a local 
function and store references to these functions in a global store. The main loop 
could then be modified to schedule assignment statements nondeterministically, 
by using a fair random number generator to determine the statement ordering 
and tracking state changes in a more sophisticated way. 

We could also replace the main program loop with a call to a generic sched- 
uler. This could be implemented as a C function to be linked against when 
compiling UNITY programs, providing full customization of the scheduler. 

In addition, we can easily translate to any target abstract syntax supported 
by the Mojave compiler by modifying the various A and C operators in our 
implementation. Source-to-source translation from any target abstract syntax is 
available using Mojave’s pretty-printing capabilities. 



5 Conclusion 

This paper has presented a method of translating UNITY programs into exe- 
cutable code, using term rewriting as an integral part of the compilation process. 
Our method has several advantages over other techniques for compiling UNITY 
programs, including easy translation to multiple languages and the ability to 
change the scheduler for UNITY statements. On the other hand, we have ig- 
nored rewriting termination or Church-Rosser properties of our implementation. 

We intend to exploit Mojave’s integrated MetaPRL theorem prover to carry 
out the derivation of formal proofs for properties of UNITY programs, and to 
apply our translation method to additional UNITY-based formalisms. Examples 
of such formalisms are the Communications and Control Language (CCL) [13], 
which we are using to specify and implement programs for multi- vehicle control 
systems [4], and Dynamic UNITY [18], a specification language and logic for 
message-passing systems that exhibit dynamic behavior (such as process creation 
and deletion) . 

We believe that translations from these formalisms can be carried out using 
methods similar to those we have applied to UNITY. The translation of Dynamic 
UNITY, in particular, will require significantly more runtime machinery than 
we have provided for UNITY programs; the presence of a weakly fair scheduler 
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suffices to execute a UNITY program, but the execution of a Dynamic UNITY 

system requires additional constructs such as process tables and message queues. 
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Abstract. We consider a new extension of the Skolem class for first- 
order logic and prove its decidability by resolution techniques. We then 
extend this class including the built-in equational theory of exclusive or. 
Again, we prove the decidability of the class by resolution techniques. 
Considering such fragments of first-order logic is motivated by the auto- 
matic verification of cryptographic protocols, for an arbitrary number of 
sessions; the first-order formalization is an approximation of the set of 
possible traces, for instance relaxing the nonce freshness assumption. 

As a consequence, we get some new decidability results for the verification 
of cryptographic protocols with exclusive or. 



1 Introduction 

The verification of cryptographic protocols deserved a lot of attention in the past 
few years, because of the huge application domain of secure communications 
via public channels. In this context, the full automation of verification tools is 
important because, in general, the same protocol appears in multiple contexts 
in a slightly altered form; each instance has to be verified since it is never clear 
whether a small modification has an impact on the security property or not. 

Such verification problems are typically relevant to model checking: given a 
protocol P and a security property (j), does P satisfy (j) ? And indeed, model- 
checking tools have been used successfully to find some attacks (the most famous 
one is due to G. Lowe [21]). However, proving the correctness of a protocol is 
much harder for several reasons. First of all, we must be very precise on the 
semantics of protocols and security properties; there is still today a debate on 
these aspects. Next, whatever model of the protocols is chosen, it is both infinite 
in depth (traces have an unbounded length, because arbitrarily many instances 
of the protocol, also called sessions can be involved) and infinitely branching 
(depending on an attacker’s input). Finally most of the protocols use nonces, 
which are supposed to be randomly generated numbers. As demonstrated by 
several authors [10,16,1], this yields undecidability of model checking, even in 
very restricted cases. 
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There are two possible research directions, which proved to be relevant: either 
consider a bounded number of sessions, which is sufficient to restore decidability 
as shown e.g. in [26], or to consider an abstraction of the model, which may 
be sufficient for proving the protocol correct, but may also output “dummy” 
attacks. This line of research is followed by e.g. [28,3,5] and that is also what we 
consider in this paper. 

A first abstraction consists in replacing nonces with terms depending on 
the context. That is what is done in all abstraction techniques we know. Then, 
protocols can be modeled within first-order logic [4,28,3,8] and the satisfaction 
of most popular security properties such as secrecy and authentication reduces 
to satisfiability of a set of clauses (see e.g. [13]). 

However, even for protocols without nonces (or considering the above abstrac- 
tion), the verification of simple properties remains undecidable (e.g. [10]). On 
the other hand, experiments using general purpose automatic theorem provers 
such as SPASS, show that, most of the time, the proof search terminates. Trying 
to explain this phenomenon reduces to finding decidable fragments of first-order 
logic in which most of the protocols can be expressed (with the above sketched 
abstraction for nonces). For instance, we have shown in [9] that, for a significant 
class of protocols, the confidentiality problem can be reduced to the solvability 
of a class of set constraints with equality, itself shown to be decidable using tree 
automata with memory. 

On the other hand, all automated verification results rely, so far, on the 
perfect cryptography assumption, which, roughly, says that the message algebra 
is a free term algebra. Such an hypothesis is too strong since many protocols use 
cryptographic primitives which do have algebraic properties. A typical example 
is the exclusive or. As an example. Bull’s authentication protocol was proved 
to be secure with the perfect cryptography assumption, while there is an attack 
when the algebraic properties of xor are considered [24,27]. Up to our knowledge, 
there are very few results on verification of cryptographic protocols with xor: 
the only other result is a proof of decidability in case of a bounded number of 
sessions [14,6]. 

The work described in this paper has two motivations: on one hand to ex- 
plain the reasons why first-order theorem provers often terminate on protocol 
verification, on the other hand study the extensions considering the algebraic 
properties of exclusive or and an unbounded number of sessions. 

We already realized in [9] that one reason for undecidability, which does not 
occur in practice, is the agents ability to copy and locally modify two distinct 
pieces of a message, hence enabling the simulation of two counters machines. 
That is why we will consider here protocols in which an agent can copy “blindly” 
at most one piece of the message he receives. “Blindly” has the following (infor- 
mal) meaning: protocols consist in message exchange between (say) two agents. 
Upon receiving some message m, agent A breaks m into pieces, decrypting what 
she can decrypt. Each piece she gets is either known to her (it can be a public 
value such as an agent name or a nonce she generated earlier,...) or something 
she does not know (a cyphertext that she cannot decrypt, a nonce generated by 
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the other party). Such data are represented by variables: an intruder could for 
instance replace them by arbitrary values. If the message that A is supposed to 
send makes use of such variables, we say that she copies “blindly” their content. 

Such an hypothesis on the uniqueness of blind copies seems relevant since 
most of the protocols of [7] falls into the class. On the model side, this corresponds 
to first-order clauses involving at most one variable. We will give more details in 
section 4. This is why we consider here the fragment of first-order logic consisting 
in clauses which contain at most one variable. Actually, we have to consider a 
larger fragment, because we need to express for instance intruder capabilities, 
which do not fall in this category. More precisely, we consider a clausal fragment 
in which every clause C either contains at most one variable or is such that 
every subterm t is either ground, a variable, or contains all variables of the 
clause. We prove that this fragment of first-order logic is decidable in section 
2, using ordered resolution techniques. This fragment is actually similar to the 
extension 5+ of the Skolem class as defined in [18]. Still, it is different since for 
instance, we will allow literals -P(x) in multiple variables clauses. We also allow 
arbitrary ground literals. 

Our main result is however the extension of this decidable class, considering 
the algebraic properties of xor: we prove in section 3 the decidability of fragment 
of first-order logic, which contains both the above class and the equality axioms 
for xor. Therefore we design a set of deduction rules and an ordered strategy, 
which we prove complete and terminating. 

One difficulty here is that there is almost no ordering on terms with vari- 
ables, which is stable by substitution. Hence we use an ordering which is stable 
by “non-collapsing” substitutions, restoring completeness using a rule similar to 
narrowing. Another difficulty is to control the number of variables occurring in 
clauses, which we need for termination. To this end, we impose stronger restric- 
tions on resolution and factorization, restoring completeness by extensions. 

Termination relies on technical results on unification with associativity, com- 
mutativity, identity and nilpotence (ACUN) and free symbols (which is known 
to be in NP [23]), typically concerning the sizes of mgus. Finally, completeness 
is obtained via classical semantic trees methods. 

In section 4, we show how the previous results apply to the verification of 
cryptographic protocols, hence providing the first decidability result for an un- 
bounded number of sessions, and considering the algebraic properties of xor. We 
illustrate the result, proving the correctness of a simple protocol. Our result is 
disjoint from [14,6]. On one hand, we consider an unbounded number of sessions 
(while it is bounded in [14,6]). On the other hand, in [14,6], there is no hypoth- 
esis on the number of blind copies and the result relies on constraint solving 
techniques and locality properties in the spirit of [22] . Note that first-order logic 
is not relevant for a bounded number of sessions since it would require to give a 
bound on the number of times a clause is used (e.g. using rigid variables). 

Due to space limitations, many proofs are only given in a technical report [12]. 
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2 A Simple Decidable Fragment of First-Order Logic 

2.1 Definitions 

Let iF be a finite set of function symbols, V a set of variables and V a finite 
set of unary predicates. For every clause C (resp. every term u), V{C) (resp. 
V{u)) is the set of variables of C (resp. of u). V{u,v) denotes V{u) U V{v). If L 
is a positive literal, we write L' = ±L for L' G {L, ~'L}. If u and t are terms of 
T(T U V) and if x is in V{u), u[t/x] is the term u where every occurrence of x 
has been replaced by t. 

Definition 1 . A clause set S belongs to the class C if for every clause C in S, 
either C contains at most one variable or, for every literal L in C : 

1. either L = ±P{xi) for some P G V; 

2. or L = ±P{u[f{xi, . . . ,Xn)/y]) for some P G P and some f G P such that 
{a;i, . . . , Xn} = V (C) and u is some term ofT{PU {y}). 

We may write that a clause C is in C instead of saying that the set {C} is in C 
to express that C is a clause of the form described above. 

This class is incomparable with the class (S'*" as described in [18]. We believe 
that, with some additional technical details, we can extend our result so that our 
class contains (S’*". This is however not relevant for our application nor for the 
extension of the next section. As examples of sets of clauses that can be expressed 
in this class, let us mention for instance two-way alternating tree automata (see 
e.g. [11], chapter 7); since the emptiness of the automaton can also be expressed 
as a clause in the class, the decidability of C implies the emptiness decidability 
for two-way alternating automata. 

If t G T{P\JV), |t| is the depth of t (maximal size of its positions). For x GV, 
|t|a; is the maximal depth of an occurrence of x in t. By convention, it is 0 if 
x ^ V{t). |.| and |.|a; are extended to literals by ]F(t)l = [t] and \P{t)\x = \t\x- 
We will prove the decision result by ordered resolution, using the ordering 
derived from the following definition. 

Definition 2. Let A, B be two literals. 

A<B if |A| < \B\ and if Vx G V(A) U V(B) |A|^ < \B\x- 
A < B if A < B or A = B. 

Note that when A< B, we have in particular that V{A) C V(B). 

A sufficient condition for completeness of ordered resolution is to use a liftable 
ordering [20,18], also called stable ordering in [19]. 

Definition 3 (liftability). An ordering <n is liftable if, for all atoms A,B 
and all substitutions 9, A <-n B implies Ad < 7 ^ B9. 



Proposition 1. < is a liftable ordering. 
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2.2 Decidability Result 

Theorem 1 (decidability of C). Let S be a finite set of clauses such that S 
belongs to C. The satisfiability of S is decidable. 

Proof sketch 

We use splitting (see e.g. [29]), ordered factorization and ordered binary reso- 
lution (see e.g. [2]), w.r.t. the partial ordering defined above, using a classical 
redundancy criterion [2], also called a posteriori criterion in e.g. [18]; we apply 
resolution on two clauses C\ and C 2 only if no atom of the resolvent is greater 
than the resolved atom. Such an ordered strategy is complete [2,18]. It only 
remains to show termination. 

First, after splitting, we only generate clauses in C. Then, define |]C|] as the 
maximal depth of its literals and let N be the maximum of He'll for clauses in S. 
We show that, for every generated clause C (after splitting), either |[C"|| < N, 
or else C is ground and |[C"|[ < 2 x N . This is a consequence of simple lemmas 
on the unifiers of terms containing at most one variable, for instance: 

Lemma 1. Let u,v be two terms such that V{u) = {x} and V{v) = {j/}. If they 
are unifiable with mgu a, then either ua is ground and \ua\ < 2 x max(|u|, |u|) 
or else \ua\ < max(|u|, |u|). 

Then, thanks to the ordered strategy, which only unifies maximal literals, we get 
the bound on ||C|| for the generated clauses C. 

The termination follows from the fact that there are only finitely many clauses 
in C whose size is bounded and to which splitting does not apply. 



3 An Extension Inclnding the Exclnsive or 

We are going to extend the result of the previous section, including algebraic 
properties of a binary symbol. We will proceed as in the previous section: we 
define an ordering and consider an ordered deduction strategy. There are however 
several additional problems: 

— for termination purposes, we need to keep control of the number of variables 
in each clause. Therefore we restrict the applicability of e.g. resolution and 
restore completeness, adding extension rules. 

— it is a hard task to find an ordering which is both liftable and compatible with 
the theory of xor. We use an ordering, which is stable only by substitutions 
which do not introduce any simplification. Considering substitutions which 
introduce redexes is handled separately as a pre-processing step 

— for termination purposes, we need to control the size of unifiers, relying 
on the particular equational theory we consider. We will see the analogs of 
lemma 1 in section 3.2. 
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3.1 Definition of the Class of Clauses 

In this part, we extend our class of clauses C to a class of clauses C® including the 
algebraic properties of © which are described in figure 1. The two last equations 
can be oriented from left to right and we get a convergent rewrite system modulo 
associativity and commutativity, provided we add the extended rule y(Bx(Bx — >■ y 
(see e.g. [15] for definitions). For any term t in T{T U {©} U V), we write 1 1 as 
its normal form w.r.t. these rules. 

Formally, we consider a finite set T of function symbols containing the con- 
stant symbol 0, a set V of variables and a finite set V of predicate symbols. C® 
is a class of clauses extending C, described below. 

Definition 4. A clause set S belongs to C® if for every clause C in S, either 
C contains at most one variable or for every literal L in C : 

1. either L = ±P{xi) for some P € V; 

2. or L = ±P{u[f{xi,...,Xn)ly]) for some P € V and f € P such that 

{xi, . . .,Xn} 

= V{C) and u is some term ofT{PA {©} U {y}); 

3. or C = -^P{x\) V -^P{x 2 ) V P{x\ © X 2 ) for some P €V . 

Remarks : Note that for the second type of clauses {±P{u[f{xi, . . . ,x„)/y])), 
/ is forbidden to be © but © may occur in u. 

We will see in section 4 that the special clause Cq=^I{x) V -'/(y) V /(a; © y) is 
used to encode the ability of the intruder to compute the xor of two terms. 

In the following, S'o denotes the set of clauses in S which are of the third 
type in the above definition. 

From now on, = denotes the equality between terms (or literals) modulo the 
(AC) properties of xor while =0 denotes the equality between terms (or literals) 
modulo the whole equational theory of xor. 

Following the AC property of ©, we assume terms are written in flatten 
form: © may be considered as a variadic function symbol. Subterms are defined 
accordingly. For instance the subterms of /(a©6©y(x)) are f{a(Bb(Bg{x)),a(B 
b © g{x),a, b, g{x),x. a © 5 and a © g{x) are not subterms. 

We extend j.j and [.ja, on terms of T(.?^U{©}U V). Informally, since © is now 
a variadic symbol, it may in particular have only one argument, in which case 
we don’t write it, hence don’t count it in the size of the terms; that is why the 
following measure computes the length of the longest path, not taking © into 
account. 

Definition 5. ||.|| is defined inductively by: 

1. ||a|| = 1 if a € V or if a is a constant symbol of P; 

2- \\f{ti,...,tk)\\ = 1 + maxi<,<fc ||t,|l for f G P; 



X (B {y (B z) = {x (B y) (B X x (B y — y (B x 
r©0 = a; x (B x = 0 



Fig. 1. Equational theory of the xor function symbol 
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3. ||ti © • • • © trill = niaxi<i<„ ||ti|| if the head symbol of each ti is not ©. 

Then |t| is defined as ||t f ||. |.|a: is defined in the same way except for point 1: 
||a;||a: = 1 and ||a||a; = 0 if a € V_{a;} or if a is a constant symbol of if. This is 
also extended to clauses by: \C\ = max^gC |L| and \ ± P{f) \ = |t|. 

Then the definition of < (definition 2) is unchanged. However, < is no longer a 
liftable ordering. 

Example 1. Let Li = P{a © b), L 2 = P{f{x © a) © f{b © a)) and xO = b. Then 
Li < L 2 but LiO = P{a ®b)it L 26 = F(0). 

Actually, there are few orderings which are liftable and compatible with the 
rules of figure 1. For instance there is no such ordering which contains the sub- 
term ordering: we would have x © /(a) > a, but then (a © /(a)) © f(a) > a! 
That is why we introduce the notion of narrow-liftable ordering and collapse-free 
substitution. 

Definition 6 . A substitution a is normalized if, for every variable x, xa is in 
normal form. A substitution a is collapse-free w.r.t. a set of terms S if for every 
t € S, ta i= t f a. 

We will write NS for the set of normalized substitutions and CF{Ci , . . . , C„) 
for the set of collapse-free substitutions w.r.t. the set of subterms occurring in 
the clauses Ci, . . . , C„, which are supposed to be irreducible. 

Definition 7. An ordering <n is narrow-liftable if, for every atom A, B and 
every substitution 9, which is collapse-free w.r.t. B, A < 7 ^ B implies A9 < 7 ^ B9. 



Proposition 2. < is a narrow-liftable ordering on literals of clauses o/C®. 



3.2 Some Useful Results on Unification 

It is well known that unifiability modulo the theory of figure 1 is NP-complete 
in the presence of free function symbols and that unification is finitary [23]. We 
need however finer results (the analogs of lemma 1) to control the size of terms. 

Lemma 2. If u v and Var{u,v) C {x}. Then either u and v are not unifi- 
able (modulo the rules of figure 1) or else any (normalized) unifier a = {x 1 — w} 
is such that w is a ground term and either w is a subterm of u (B v or else 
w = wi (B W 2 is a normal form such that w\ and x(Bw 2 are subterms of u or v. 
Moreover, \xa\ < max{|u|, |u|}. 

Note that \ua\ may be strictly greater than |m| and |u|. 

Example 2. Let us consider u = hf{x) © K^{a) © x and v = hf{x). The most 
general unifier of u and v is cr(x) = hf{a) and ua = h‘^{a). 
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Lemma 3. IfVar(u) fl Var{v) = 0 and Var(u) C {x}, Var(v) C {y}, u v, 
then either u and v are not unifiable (modulo the rules of figure 1) or else every 
most general unifier 9 of u,v is, up to variable renaming, such that: 

— either there are ground subterms w\, . . . ,Wk ofu,v such that x9 = wi(B ■ ■ -(B 
Wk (resp. yO = Wi (B ■ ■ ■ (B Wk) and yO is ground (resp. x9 is ground) 

— or x9 = z®t\®- ■ - ®tk, yO = (ui ©• • • © w„© © • • -(BWm)9, where the ti ’s 
and the Wi ’s are ground subterms of u,v, n > 1 and the Ui ’s are non-ground 
subterms of u or the converse, exchanging the roles of x and y (resp. of u 
and v). 

Example 3. g{a © f{y © /(a)), /"(y)) = g{x,f^{x)) has a solution x = y = 
a © /(a). Instantiating the original terms, their measure is growing. 

A similar technique allows us to conclude when u or w is equal to u'[x — >■ 
/(xi, . . . ,x„)]. See the appendix for details. 

We design the ordering < in such a way that it is stable by collapse-free sub- 
stitutions. Therefore, we have to show how it is possible to consider only such 
substitutions. A general result in [14] allows to focus on collapse-free substitu- 
tions, roughly guessing the shared parts and performing possible simplification 
beforehand. That is also what we (roughly) do here. However, we need also 
to control the size of the resulting clauses, taking advantage of our additional 
assumptions. 

Lemma 4. For every clause C € C®, there is a finite set of clauses {Ci , . . . , Cn}, 
denoted by narrow(C'), such that : 

n 

{Ca I I V(Ca) = 0,a€NS}= \J{C,a \ V(Qa) =0,a€ CF(Ci, C„)} 

i=l 

Moreover, if C ^ So, every C) falls in one of the three following cases: Ci = C, 
or Ci is ground and |Cj| < 2 x jCI, or V(C) = {x} and Ci = C{x y (B U} f 
for some sum ti of ground subterms of C. 

3.3 The Decidability Result 

The goal of this section is to prove the following (main) result: 

Theorem 2 (decidability of C®). Let S be a finite set of clauses such that 
S belongs to C®. The satisfiability of S is decidable. 

Thanks to lemma 4 we can restrict our attention to collapse-free substitu- 
tions, provided that we apply the rule which replaces C with the set of clauses 
Ci constructed in lemma 4. This rule is called the narrowing rule. 

But restricting ourself to “collapse-free” ordered resolution is still not suffi- 
cient to ensure termination. Indeed, only the repetitive resolution of renamings of 
Co with themselves yields an infinite set of clauses. That is why we will disallow 
resolution steps between clauses in Sq, restoring completeness using extensions. 
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The situation is similar to the transitivity rule for which a special inference rule 
is designed: ordered chaining [2]. Extensions aim at inferring P{s © u) V C V D 
from P{s(Bt) V C and P{t(Bu) V D when t is maximal among s, t, u. They consist 
in a short-cut of two resolution steps. 

Example 4- Let us consider Ci = -•P{s{h) © x) and C 2 = P{s{h{y)) © s{y)). 
Applying the rule Extension 1, we get the clause C3 = -•P{h{y) © s{y)): 

^P(s(x)©x) P{s{h{y)) ® s{y)) ^ith h = s{x), Ui = s{h{y)) 

~^P{h{y) © s(y)) and 9 = {x h{y)}. 

C3 could have been obtained by the two successive binary resolution rules if we 
had allowed for resolution with clauses in Sq. 

-'P(s(a;) © x) —'P{z)\/—'P{z)\/P{z(Bz) with x = h{y), z = s(/i(y)) © 
^P{s{h{y)) © s{y)) V ~-P{h{y) © s{y)) s{y) and z' = h{y) © s{y) 

-P(s(/i(y)) © s(j/)) V © s(j/)) P{s{h{y)) ® s{y)) 

and . 

-nP{h{y) ® s{y)) 

Deduction rules are displayed in Figure 2. As usual (see e.g. [18]), repeatedly 
applying the deduction rules of figure 2 together with a splitting rule yields a 
set of sets of clauses: Sq = {S'} and is obtained: 

— either by replacing Sj € Si hy Sj U {C} if C can be inferred from Si using a 
rule of figure 2, 

— or by replacing some S^ U (CV C"| G Si with two sets S^ U {C} and Sj U {C"| 
if Var{C) n Var(C') = 0. 

We also remove redundant clauses at each step. For our purpose, it is sufficient 
to remove clauses LV LV C when A V C is in the set of clauses. 

Lemma 5 (Correctness). The narrowing rule and the deduction rules of figure 
2 are correct (the set of models of one of the clause sets in Si is the same as the 
set of models of one of the clause sets in Si+\) and, if every clause set in Si is 
in C®, then every clause set in Si+\ is in C®. 

Lemma 6 (Termination). The sequence Si is finite when starting from Sq = 
(Sj and SeC^. 

Proof, (sketch) The sequence Si is finite iff applying the rules of figure 2 together 
with the rule CVC" — 1 C when Var{C) nVar{C') = 0 terminates when starting 
from S. 

We are going to give an upper bound on the size of a clause C in a set of 
Si- Let T the set of ground subterms of S and N = maxigC.CeS |L|. We show 
by induction on i that, for every clause C of a set of Si, either C is ground and 
jC'l < 2N , or C is not ground and jCj < N, or C contains exactly one variable 
X and \C{x !->■ x © tjj < iV for some t € T. 
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Binary Resolution 



-^P(t) V C P(u) V C' collapse-free w.r.t. literals 

in C,C', a G mgu{t,u), P{t)a y! 

Co V C'o {C V C")cr. 

Factorization 



LiV L 2 V C 
(Li V C)o 

Narrowing 

C 

{Co)i 

Explosion 



If CT G mgu{L\, L 2 ), o is collapse- 
free w.r.t. literals in the clause, 
and 1/1(7 ^ Co. 



If {Co) 4,G narrow(C). 



P{t © m) V C 
{P{t © u) V C)o 



If t is ground, uo is ground and uo < t. 



Extension 1 

-nP{t)VC P{ui®U2)VC' 

(cvc' v^p{t2®u2))e 



If 



P{x © y) V -^P{x) V ^P{y) G So 
t = ti (B t2{or t = ti and t2 = 0 ) 

V ar{t) = Var{ti ),6 G mgu{ti,ui) 

6 collapse-free w.r.t. t, ui © U2, t2 © M2 



[ (C V C" V -^P{t2 © U2))9 tld. 



Extension 2 

P{t) V C p{ui © M 2 ) V c' 
(cvc' V P{t2®u2))e 



If 



-^P{x) V -^P{y) V P{x © y) G So 
t = ti (B t 2 {or t = ti and t 2 = 0) 

V ar{t) = Var{ti), 6 G mgu{ti,ui) 

6 collapse-free w.r.t. t, Mi © M2, t2 © M2 

{c V C V ^P{t2 ® U2))e ti 9 . 



All rules only apply to non-splittable clauses, not belonging to So. 
Fig. 2. Deduction rules. 



To prove this, we investigate all possible cases (each deduction rule) and we 
rely on lemma 2 and 3 (detailed proof in [12]). 

Then, we show that there are only finitely many ground clauses such that 
jC'l < 2iV (this relies on the nilpotence of ©) and only finitely many non-ground 
clauses in C® such that jCj < N or \C{x x © t}| < N for some t €T. 

Thanks to lemma 6, the sequence Si is finite. We let E*{S) be its limit, when 
starting from Sg = {•S'}, S G C®. 
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Lemma 7 (Completeness). Let S' G C®. S is unsatisfiable if and only if for 
every set S' G £*{S), _L G S'. 

Proof (sketch): our deduction system is correct, thus if _L G S* for every set 
S* G £*(S) then S is not satisfiable. 

Assume S is not satisfiable and assume ± ^ S* € £*. 

We extend our partial ordering < on literals to a total ordering < on ground 
literals in the following way. 

Let < be any total ordering on the predicates P and on the function symbols 
IF. We extend < on .S U {©} by © < / for all f G T. We then let m{f) be 
the triple (\t\,top{t) , Sub{t)) where topff) is the top symbol of t and Sub{t) are 
its immediate (strict) subterms. For two ground terms in normal form, we let 
t<t' if m{t) < m{t') where the triples are lexicographically ordered, using the 
ordering on T for the second component, the lexicographic extension of < on 
the subterms when the top symbol is not © and the multiset extension of < 
otherwise. 

Let Li,L2 be two ground positive literals : Li = Pi{ti) and L2 = ^2(^2)- 
Then Li<L2 if either t\<t2', or t\ = t2 and Pi < P2- 

By definition, < extends < and < is a total ordering. The Herbrand base 
is totally ordered accordingly as well as partial interpretations. As usual in se- 
mantic tree methods, since S is unsatisfiable, by correctness S* is unsatisfiable, 
hence its semantic tree is finite (the set of partial interpretations which do not 
falsify a clause of S'*). 

Then we consider a partial interpretation I whose two extensions to P\{v) 
falsify a clause of S* and which is minimal w.r.t. the lexicographic ordering 
on partial interpretations. (This is a “leftmost” node whose two sons are failure 
nodes in the semantic tree) . The lexicographic ordering on partial interpretations 
is defined by I >iex J if> when P(u) is the maximal element of the Herbrand base 
such that / and J coincide on literals strictly smaller than P{u), I{P{u)) = 1 , 
J(P{u)) = 0 . 

By factorization we may assume that the two clauses Ci , C2 falsified by the 
two extensions of I are such that Pi (v) V C'l = CiOi and -'Pi (v) M €'2 = C2O2 for 
some C'l , C2 G S'* U So such that C( , C2 < Pi (u) . By narrowing, we may assume 
that CTi is collapse-free w.r.t. C'l and (T2 is collapse-free w.r.t. C2. We distinguish 
four cases: either Ci, C2 G So, or Ci G So and C2 ^ So, Ci ^ So and C2 G So or 
else Ci,C2 ^ So. 

These cases are described in more details in the appendix, we sketch here the 
reasons why it works: 

Case Cl , C2 G So : We prove directly that there is another smaller clause falsi- 
fied by X, simply recombining the terms in the right order. This corresponds 
to the uselessness of extensions of extensions. 

Case Cl G So,C2 ^ So : Let Cicri = -iPo(a:)cri V-'Po(y)o'i VPo(a^® J/)o"i, xai = 
vi, yai = V2, and (xai © yai) ),= v. There exist v'i,v'2,v' such that v = 
v'l (B v'2, vi = v'l (B v' and V2 = v'2 (B v' without any collapse or 1; = ui © W2 
without any collapse. We only consider the first case since the second one is 
similar. By hypothesis, Vi<f, f2<u and therefore I(Fo(^i)) =®(-fo(i’2)) = 1 - 
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Assume w.l.o.g that ^o(t'i)<-Po(t'2)- Now, by minimality of the interpretation 
X (w.r.t. lexicographic ordering), the partial interpretation J which coincides 
with X on literals strictly smaller than Po(fi) and such that J{Pq{vi)) = 

0 falsifies a clause C3 = Po{u) V C of S* . We consider again two cases, 
depending on whether this clause is in Sq or not. 

Assume C3 ^ S'o and that no factorization can be applied. Also, by nar- 
rowing, does not contain any redex and v\ = uu^- Moreover, Po(i’i) 

is maximal in C^a^. We are going to show that we can apply Extension 

1 (possibly after Explosion) to C2 and C3 yielding a clause falsified by 
X. We let C2 = ~'Po{t) V C. We have v = tcf2 and a2 is collapse- free 
thus t = t\ (B t2 such that tia2 = v'^ and t2<J2 = In the same way, 
u = u\(B U2 such that M1CT3 = and U2CT3 = v' . This means in particular 
that ti,ui are unifiable. By Explosion, we may assume that V{t) = V{t\) 
and, by lemma 3, that there is a 0 G mgu{ti,ui) such that (J2 W <73 = 90'. 
Moreover, let w be the maximal strict direct subterm of v. Since V2<vi<v, 
ru is a strict direct subterm of thus ^2 = ^2® v'<v'i. The inequality 
V2 = v'2® v'<v'i gives t2(72 ® ■U2(J3<tiCT2, hence (^2 ® U2)09' <t\a2. It follows 
that {t2 © U2)0 ti. In addition, 9 is collapse-free w.r.t. t, t\ © t2, ^2 © 
and the clauses C and C . Then, we can apply Extension 1 and there is a 
clause (C V C" V -•Po{t2 © U2))9, which is already falsified by X. 

The case C3 G S'o yields to the previous case where C\,C2 G Sq. 

Case Cl ^ So,C2 G So : this case is symmetric to the previous one, replacing 
Explosion 1 with Explosion 2. 

Case Cl, C2 ^ So . We simply use Resolution; there is a smaller clause which 
is already falsified by X. 

4 Application to Cryptographic Protocols 

We assume the reader familiar with the notion of agent, nonce, intruder, ... In 
this paragraph, we show how security properties for a class of protocols can be 
expressed as the satisfiability of a set of clauses S' G C®. We also propose a simple 
(new) cryptographic protocol, which we prove correct using our technique. 

We have presented in [13] a clausal model of cryptographic protocols. This 
model is a generalization of Paulson’s model [25] and the strand spaces model [17]. 
Unfortunately, it is much too expressive for decidability results. That is why we 
use here an abstraction where the freshness of nonces is no longer guaranteed. 
It may induce false attacks but is correct: if an abstracted protocol is proven 
correct then it is correct in the general model. 

Messages are terms constructed over the alphabet .7^ ={<_,_ >, {_}_, h} and 
a finite set of constants C, depending on the protocol. 

— < mi, m2 > represents the concatenation of the two messages m\ and m2; 

^ {wi}m2 represents the term m\ encrypted by m2', 

— h{m) represents the hash of m. 

Note that we allow compound keys for example. We also could express asym- 
metric encryption but for the sake of simplicity, we do not present this in this 
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paper. As explained in the introduction, this representation implicitly uses the 
perfect encryption assumption : 

{m}k = {m'}k' m = m! h k = k' . 

To relax this assumption, we add the © symbol together with its equational 
theory (described in Fig. 1) : mi ©m 2 represents the message m\ xored with the 
message m 2 . The xor function is widely used to encrypt messages by block [7]. 
It can also be used to implement a computationally cheap encryption: if iF is a 
private key, then, instead of encrypting m with K, we may simply xor m and K. 
This is the case in the Bull protocol described in [24], which requires abstraction 
to fit in our class. We also propose the following protocol, which aims at sending 
a secret Sabi shared by agents a, b, without using explicit encryption (hence using 
fewer time resources): 



A ^ B : Na © Kab 
B — y A : Nb © N a 
A ^ B : Sab © Nb 

At the first step, the agent A sends a nonce Na xored with the shared key 
between A and B. 

We consider a predicate I which represents the set of messages possibly 
known to the intruder. Abstracting nonces by constants, the first rule of our 
protocol can be represented by the following clause: 

^ ® Nab)i ( 1 ) 

where Kab are constant symbols. At the second step, the agent B can retrieve 
Na by xoring the message he received by Kab- Then he generates a new nonce 
Nb and sends the message Nb® N a- This can be represented by: 

I{z)^ I{z®nla®Kab)i ( 2 ) 

where is a constant symbol. Eventually, when the agent A receives B's 
message, she can retrieve Nb and send a secret Sab by xoring it with Nb'- 

I{z)^ I{z®n\i,®Sab)- (3) 

These three clauses belong to our class C®. Applying the reduction result of [13], 
we may assume that there are only two honest agents a, b and one dishonest 
agent c. We assume here that an honest agent is not allowed to speak with himself 
since we think this hypothesis is more realistic. Then, all clauses corresponding 
to the protocol rules are displayed in Figure 3. We use a finite set of constants 

^ ~ Uie{af),&a,ac,co,c6,6c} ® {Nabi Kaci Kbc}- 

Such a representation can be generalized to arbitrary protocols, and we stay 
within C® as soon as, at each step, at most one part of the message is blindly 
copied. 
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First rule: 

=> Kab) ^ I{nla (B Kab) ^I{nic®Kac) 

^I{n\a®Kac) ^ (B Kbc) ^ I{n\^(B Kbc) 



Second rule: ,, , , 

I{z)^ I{z® nil, © Kab) 

I{z) ^ I{z® nlc © Kac) 
I{z) => I{z © © Kbc) 



I{z) ^ /(« © © Kab) 

I{z) ^ I{z (B nla © Kac) 
I{z) ^ I{z (B nib ® Kbc) 



Third rule: 

I{z) =^> I{z © nib ® Sab) 
l{z) ^ l{z® nia ® Sac) 
I{z) I{z © nla © Sbc) 



I{z) ^ I {z(B n\a © Sba) 
/(a) =^> /(« © n\a © Sea) 
l{z) ^ I {z ® nib ® Seb) 



Fig. 3. Rules representing our protocol for three participants a, b and c. 



^ I (Kac) The intruder knows all keys of compro- 
^ I{Kbc) mised agents. 



I{x),I{y) ^ I{x®y) 



The intruder may apply the xor function 
to any messages. 



I{x),I{y) ^ !{{x}y) 



The intruder can encrypt a known message 
with a known key. 



I({x}y)J{y) ^ I{x) 



The intruder can retrieve the clear text of 
a message encrypted with a known key. 



Fig. 4. Some of the clauses defining I. 



It remains to describe the intruder capabilities: he sees every message sent 
through the network and may send new messages. He knows private keys of 
dishonest agents. In addition, he is able to compose and decompose messages. 
Intruder capabilities can be encoded by clauses of C®. In particular, the ability 
of the intruder to apply the xor function is described by the clause ~'I{x) V 
-■/(y) V /(x © y). Some of the clauses are described Fig. 4. Actually, only the 
first three rules are relevant for our example since we only use the © symbol. 

Now, we want to prove that Sab remains unknown to the intuder when a and 
b are honest. Such a property may be expressed by the clause: 4>o = ~<I{Sab)- 
Let Cp be the clauses described in Fig. 3 and Fig. 4. The protocol satisfies 
our security property if and only if Cp U {(/)o} is satisfiable: we are back to a 
satisfiability problem. Such a reduction actually works for any purely negative 
security property [13]. 

As a consequence, the security of our abstracted protocol can be decided by 
our decision procedure. And the answer is yes: our protocol preserves secrecy ! 

Proposition 3. The set of clauses representing our protocol together with the 
security property Cp U {0o} is satisfiable. 
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Proof. We split the set of constants P into the set of (supposedly) secret data 
A and known data P2: A = Sab, Sta, Kab} and A = AA- 

Jumping to the fixed point, we consider a set of terms T (resp. T') such that an 
even (resp. odd) number of “secrets” data is xored: 



T = {ui © • • • © Un © © • • • © A I n is even, m G A, A G A, Ui, tj distinct}. 



Then we consider the following set of clauses: 

S* = {/(m) I m G Tj U © mi) V I{z © m2) | mi © m2 G Tj 

©{-■/(mi) V 1(1712) I rni © m2 G Tj U {-■/(m) | m G T'}. 

S* contains CpU{(j)o}, thus it is sufficient to prove that S* is satisfiable (actually 
S* is obtained from Cp U { 0 o| by applying our deduction rules thus S* is satis- 
fiable iff Cp U {(fo} is satisfiable). S* is saturated by our inference rules (see [ 12 ] 
for more details). Applying theorem 2 , since _L ^ S*, it follows that Cp U {(po} is 
satisfiable. □ 

Since the abstraction is an upper approximation, the above proposition shows 
that the protocol is secure. 

Note: Instead of using the reduction result of [ 13 ], we could have introduced 
an arbitrary number of participants by adding new variables. For example, the 
second rule of our protocol could be represented by the clause: 

- 4 (a;), A(?/), J(z) ^ /(z © ri2(x, y) © K(x, y)), 

where x nd y are variables representing agents. Such a clause does not belong to 
our class C® but we could extend C® to clauses with basic variables (like in [ 9 ]), 
representing restricted data like agents or nonces. We believe that the resulting 
class, which extends C®, is still decidable. 



5 Conclusion and Perspectives 

We have proved the decidability of a new first-order logic fragment, including 
some algebraic properties. This result applies to the automatic verification of 
cryptographic protocols. 

There are few extensions to be considered: first, adding basic variables, as 
explained in the above note would be useful for the application. On the theoret- 
ical side, there is no reason to restrict each clause of So to use a single predicate 
symbol: it should be possible to allow clauses such as -^P\(x)\/ ^P2(y)S Pz(x(By) 
where A> AAs Eire distinct. We didn’t consider this extension here for sake of 
simplicity and because we do not need it in the application. Yet another natural 
extesion would be to consider the class C, adding the algebraic properties of ©. 
This seems to be related to the above extension. 

Finally, the complexity of the decision result looks prohibitive. Before imple- 
menting the decision procedure, we need some refinements. First, we actually 
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use a refinement of the ordering used in section 3: we established a general ter- 
mination result, however, completeness holds for any ordering which is narrow 
lift able and compatible with the ordering used in the completeness proof on the 
ground level. 

A last question is of course to get similar results for other equational theories. 
In this paper, however, we heavily rely on the particular theory of xor. 
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Abstract. Modular multiplication and exponentiation are common op- 
erations in modern cryptography. Unification problems with respect to 
some equational theories that these operations satisfy are investigated. 
Two different but related equational theories are analyzed. A unifica- 
tion algorithm is given for one of the theories which relies on solving 
syzygies over multivariate integral polynomials with noncommuting in- 
determinates. For the other theory, in which the distributivity property 
of exponentiation over multiplication is assumed, the unifiability prob- 
lem is shown to be undecidable by adapting a construction developed 
by one of the authors to reduce Hilbert’s 10th problem to the solv- 
ability problem for linear equations over semi-rings. A new algorithm 
for computing strong Grobner bases of right ideals over the polynomial 
ring Z<Xi, . . . , A„> is proposed; unlike earlier algorithms proposed by 
Baader as well as by Madlener and Reinert which work only for right ad- 
missible term orderings with the boundedness property, this algorithm 
works for any right admissible term ordering. The algorithms for some 
of these unification problems are expected to be integrated into Naval 
Research Lab.’s Protocol Analyzer (NPA), a tool developed by Cather- 
ine Meadows, which has been successfully used to analyze cryptographic 
protocols, particularly emerging standards such as the Internet Engineer- 
ing Task Force’s (IETF) Internet Key Exchange [11] and Group Domain 
of Interpretation [12] protocols. Techniques from several different fields 
“ particularly symbolic computation (ideal theory and Groebner basis 
algorithms) and unification theory — are thus used to address problems 
arising in state-based cryptographic protocol analysis. 
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1 Introduction 

Modular arithmetic is the mainstay of many modern cryptographic algorithms. 
Arithmetical operations such as modular multiplication and exponentiation are 
part of several algorithms. For instance, the RSA and El Gamal algorithms use 
modular exponentiation for encryption/decryption, whereas the Diffie-Hellman 
and group Diffie-Hellman algorithms use it for key exchange. Abstracting equa- 
tional properties of modular exponentiation and designing equational unification 
algorithms for the resulting theories for use in protocol analysis was initiated in 
[13]. Building on the work reported in [7], we have so far explored four related 
unification theories involving modular multiplication. These are described below. 

The motivation for studying these equational theories comes from building 
a tool for analyzing authentication protocols against possible attack. The pro- 
posed unification algorithms are planned to be integrated into a software tool 
called the NRL Protocol Analyzer (NPA) developed by Catherine Meadows at 
the Naval Research Laboratory [10]. This tool employs a state-based approach 
for analyzing attacks on an authentication protocol, and has been used effec- 
tively to analyze, e.g., the Internet Engineering Task Force’s (IETF) Internet 
Key Exchange [11], Group Domain of Interpretation [12] protocols, demonstrate 
known integrity flaws in the Encapsulating Security Protocol [19] (an Internet 
Standard), and discover a new attack on the Simmons Selective Broadcast Pro- 
tocol [18]. Currently, the tool uses simple unification (over the empty theory) and 
a narrowing procedure for state exploration. Narrowing is used to find solutions 
with respect to (henceforth, abbreviated as wrt) a set of terminating rewrite 
rules capturing the semantics of primitive operations used in a protocol, thus 
simulating unification wrt the associated equational theory. However, if these 
primitive operations have the associativity and commutativity properties, which 
is often the case, then narrowing either does not work or is extremely inefficient. 

To review the various equational theories discussed in this paper, consider 
the following set of axioms relating modular multiplication with modular expo- 



nentiation: 

X ■ {y ■ z) = {x ■ y) ■ z A 

X ■ y = y ■ X C 

X ■ 1 = X U 

X ■ x~^ = 1 Inv 

x^ = X Expl 

F = 1 Exp2 

{x ■ yY = {xY ■ ivY Expi 

(xyy = (x^Y ExpA 

IxyY = x^°^ Expb 

X o {y o z) = {x o y) o z A' 

X o y = y o X C 

x o 1 = X U' 



The first four equations (A,C,U, Inv) characterize an Abelian group with • 
representing multiplication modulo a prime number p; for brevity, this axiom- 
atization is referred by AG. The last three equations characterize an Abelian 
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monoid with o standing for multiplication modulo p — 1. Operators • and o share 
the unit 1. Modular exponentiation is denoted by x"y is also written as . 
Note also that Exp5 implies a ‘kind of’ associativity for o, since 

(uo{vow)) _ — {{uov)ow) 

Exp5 vv*^ / / Expb 

We have investigated various theories that are obtained by keeping AG fixed 
and varying the theories that o satisfies. Our main results so far are: 

(i) The unification problem for the equational theory consisting of AG and ax- 
ioms {Expl, Exp2, Expi) is decidable; this theory is denoted as £ 3 . This 
theory is a subset of the equational theories in (ii) and (iii) below. A unifi- 
cation algorithm for this problem is given by reducing it to that of finding 
constrained solutions of linear equations over Z<Aii, . . . , Ai„>, an algebraic 
structure similar to a polynomial ring over the integers, except that the 
indeterminates do not commute (i.e., the multiplication operation on the 
terms is not commutative — this structure is often called a monoid semir- 
ing). This latter problem is solved by computing strong Grobner bases^ of 
right ideals over Z<Aii, . . . , Ai„>. A new algorithm for computing strong 
Grobner bases for right ideals over Z<Xi , . . . , X„> is given; in contrast to 
the earlier algorithms proposed by Baader [1] for weak Grobner bases and 
by Madlener and Reinert [9] for strong Grobner bases assuming right ad- 
missible orderings with the boundedness property^, the proposed algorithm 
computes strong Grobner bases using any right admissible ordering. 

Techniques employed here for solving linear equations over Z<Aii , . . . , Ai„> 
are novel since the variables of the equations being solved have additional 
constraints of the form that certain indeterminates cannot appear in their 
solutions (these constraints are related to the occur check condition in simple 
unification, i.e., over the empty theory^). Such constraints are ensured by 
defining somewhat unusual kinds of admissible term orderings reflecting 
such constraints. These term orderings are very different from usual term 
orderings typically used in the literature for computing Grobner bases of 
ideals, such as total degree and lexicographic, pure lexicographic, reverse 
lexicographic as well as block orderings. 

(ii) When axiom ExpA is added to £ 3 , the unification problem for the extended 
equational theory remains decidable, as shown in [7]; we will denote this 

^ A weak Grobner basis of a (right) ideal simplifies polynomials in the (right) ideal 
to 0; however, polynomials equivalent with respect to the (right) ideal need not 
be simplified by the weak Grobner basis to the same canonical form. In contrast, 
a strong Grobner basis of a (right) ideal simplifies every polynomial to a unique 
canonical form such that equivalent polynomials with respect to the (right) ideal 
have the same canonical form; the canonical form of every polynomial in the (right) 
ideal is 0; see [6,1,9] for more details. 

^ An ordering has the boundedness property if and only if for every element, there 
are only finitely many elements smaller than the element in the ordering. 

® and also the linear constant restrictions introduced by Baader and Schulz [3] 
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theory by 1^3,4. The unification algorithm uses an algorithm for computing 
strong Grobner bases of polynomial ideals in Z[a;i, • • • , x„] developed by one 
of the authors in 1984 [6]. Linear equations are solved under constraints in 
a way similar to (i) above. For details, the reader can refer to [7]. 

(iii) If the equational theory in (i) is extended by adding axioms Expb, A', C 
and U' instead of ExpA, then the unification problem for this equational 
theory, denoted by £3,5, is undecidable. (It is easy to see that ExpA fol- 
lows from C and Exp5, thus implying that Exp5 is strictly stronger than 
ExpA in this context.) The undecidability is mainly due to the distribu- 
tivity property since if the distributivity axiom Exp3 is dropped from this 
equational theory — thus just keeping Exp5 — then the unifiability problem 
is NP-complete [13]. 

The undecidability proof adapts an earlier proof showing the undecidability 
of the unification problem over the equational theory of isomorphisms over 
Cartesian Closed Categories developed by one of the authors [15]. Details 
can be found in [7]. 

(iv) If the equational theory in (i) is extended by adding axioms Exp5, A' and 
U' (in other words, • forms an Abelian group, whereas o forms a monoid), 
denoted by 5, the unification problem is still undecidable. This is shown 
by reducing Hilbert’s tenth problem to the unification problem by adapting 
a construction developed by one of the authors [14] for showing undecid- 
ability of solving linear equations over polynomial semirings. In Section 2, 
we provide a sketch highlighting the main point; details can be found in [8]. 

The result mentioned in (ii) above was obtained earlier and is reported in [7] 
with detailed proofs. The undecidability result mentioned in (iii) is similar to 
the undecidability result reported in [7]. 

The paper thus brings together techniques from several different fields, par- 
ticularly symbolic computation (ideal theory and Grobner basis algorithms) and 
unification theory, to address problems arising in state-based cryptographic pro- 
tocol analysis. 

We state in the next section that unifiability for £^ 5 is undecidable. The 
rest of the paper focuses on the decidability of the unifiability check for £^. 
Section 3 relates unification over to unification over AGnH with an occur- 
check like condition. Section 4 discusses an algorithm for solving the unification 
problem over AGnH with an occur-check-like condition. The algorithm uses a 
strong Grobner basis algorithm to solve linear equations over a monoid semiring 
Z<Ai, . . . ,Xn>. To ensure that the solution to the unification problem satisfy 
the occur-check like condition, unusual term orderings capturing this constraint 
are defined. The Grobner basis algorithm is discussed in Section 5. It is shown 
that the algorithm computes a Grobner basis for a right ideal using arbitrary 
right admissible term orderings including those which do not have the bound- 
edness property. This algorithm is new since earlier algorithms worked only for 
admissible term orderings satisfying the boundedness property. 
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2 Undecidability of Unification over ^ 

We reduce Hilbert’s tenth problem to it by simulating numbers as well as multi- 
plication over numbers. In the following, for a natural number k, Q)k{b) denotes 
b o b . o b . 

k 

Theorem 1. Unification over S'^ 5 is undecidahle. 

Proof Sketch: The following equations 
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force W2 to be QfcJ (b), thus simulating squaring. Using the construction proposed 
in [14] with the above way of encoding squaring of numbers, Hilbert’s tenth 
problem can be formulated as a unification problem in 1P3 5. For a detailed proof, 
please refer to [8]. 

3 Relating Unification over £3 to Unification over AGnH 

We consider the theory S3 consisting of AG and axioms Expl, Exp2 and Expi. 
We show that the equational unification problem for £3 is equivalent to the 
unification problem wrt the theory of Abelian groups with noncommuting ho- 
momorphisms, denoted by AGnH, but with an additional constraint. (The n 
stands for the number of homomorphisms.) 

It is shown in [2] that the theory AGnH is unitary with respect to unifica- 
tion without constants and it is also unitary with respect to unification with con- 
stants'*. In Section 5 of [1], Baader showed that the unification problem of AGnH 
reduces to solving linear equations over the polynomial ring 7.<hi , ■ ■ ■ , hn> where 
h\, . . . , hn are the noncommuting homomorphisms of AGnH , treated as inde- 
terminates in the polynomial ring. He gave a unification algorithm for AGnH, 
which uses a weak Grobner basis of a right ideal over Z<h\, . . . , hn> for solving 
linear equations; as a result, Baader also proposed an algorithm for computing a 
weak Grobner basis. We generalize Baader’s algorithm by adding an additional 
key step to ensure that a given linear constraint (capturing an occur-check like 
condition) is satisfied by the unifier, so as to apply it to the equational unifica- 
tion problem for £3. This generalization needs a strong Grobner basis of a right 
ideal over Z</ii, . . . , /i„>. In a later section, we develop a new algorithm for 
computing a strong Grobner basis of a right ideal over Z<h\, . . . , hn>- 

* A theory is unitary if a minimal complete set of unifiers always exists and its 
cardinality is at most one. 
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3.1 Unification over as a Combination of Theories 

Let S = {•, 1, '}, the signature of £^. 

Definition 1. An £^-unification problem S over E is called an AG -unification 
problem if each equation in S is of the form x =’ t, where x is a variable and t 
is a term over the signature of AG. 

Definition 2. An £^-unification problem S on E is called an exponent 1^3- 
unification problem, abbreviated as EXP, if every equation in S is of the form 
X =' , where x and y are variables and z is a variable or a free constant. 

Also if z is a variable, z is called an exponent variable; otherwise, it is called an 
exponent constant. 

Definition 3. An £^-unification problem S on E is called a simple £z-unification 
problem if S = S'ilJ5'2, where is an AG-unification problem and S2 is an 
exponent £z-unification problem. 

It is easy to see that using abstraction, any i?3-unification problem can be trans- 
formed into a simple ip3-unification problem. For example, consider S = {w =■ 
(2,(1/“”) ” )“i}. Using abstractions, S is transformed to S': 

{ 2. Zi =• 3. Z2 ='^ Zf^ ■ Z4, 4. Z 3 =■ 

5. z^ u- v, 6. Zi = ' 7. ze =' u' • v' }, 

where zi, Z2, Z3, Z4, Z5, zg are new variables introduced for alien subterms in S. 

3.2 Relating AG + EXP to AGnH 

Given a simple ip3-unification problem S, for each equation of the form x = ' in 
S, we transform it into x =' h^{y) where ft-u, is a homomorphism corresponding 
to the symbol w. Let TL{S) denote the set of all homomorphisms introduced 
in this way, and, let Eh = {-,“^,1} U'H(S). We call the transformed AGnH 
problem a h-image of S. 

For the above example, its h-image T is: 

{ 1. w =• zf\ 2. zi =• /i^ 2 (a:), 3. Z 2 =' Zg"^ • Z 4 , 4. Z 3 =■ (y), 

5. Z5 =•«•?;, 6. Z4 =’ /izg(z), 7. zg =■ m' • v' }, 

It is not hard to see that the unifiability of T wrt AGnH does not necessarily 
imply that the original problem S has a unifier wrt £3. For instance, the problem 
{x =’ a^} has no unifier wrt £3, whereas its /i-image {x h„,{a)}, when 
simply taken as a unification problem wrt AGnH (with n = 1) is solvable. Thus 
something like an extended occur check must be enforced; this is done by solving 
the unifiability problem of T wrt AGnH subject to linear constraints (including) 
x >- hx for every homomorphism hx G 'H(S), i.e., a unifier 0 of T should satisfy 
the condition that for every x G Var(T), 6{x) does not contain any occurrence 
of hx, where V ar{T) denotes the set of all variables in T. 
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Definition 4. Given a simple S^-unification problem S and its h-image T wrt 
AGnH, a linear constraint C is a total ordering >~c over V ar{T) U 'H(S') such 
that X )^c hx for all exponent variables x in S. 



Definition 5. A substitution j3 whose domain is Var{T), is said to satisfy a 
linear constraint C if and only if the following holds: for every x G Var(T), 
f)(x) does not contain any of the function symbols below x in C. In other words, 
if x )^c hy, then !3{x) does not contain any occurrence of hy. 

Definition 6 . A unifier 9 for a S^-unification problem S is said to be a discrim- 
inating unifier if and only if the following hold for all variables in Var{S): 

1 . 6 (u) 1 for all u. 

2. 9{v) =£3 9{w) iffv = w. 

Theorems 2 and 3 below relate the unification problem S wrt £3 to its /i-image 
T wrt AGnH. 



Theorem 2. Given a simple E^-unification problem S and its h-image T wrt 
AGnH , if S has a discriminating unifier, then T is unifiable. Furthermore, there 
is a linear constraint C that the unifier of T satisfies. 

A detailed proof of this theorem is discussed in [ 8 ] . 



Theorem 3. Given a simple E^-unification problem S and its h-image T wrt 
AGnH , ifT has a solution which satisfies a linear constraint, then S is solvable. 

Proof. Consider all exponent equations {x^ =’ , . . . ,Xu^ =’ in 

S] similarly, also consider their corresponding equations {x^ =’ (xvi), ■ ■ ■ , 
Xuk hx„,^{xv,.)} in the /i-image T for S. 

Let /3 be a ground unifier of T that satisfies a linear constraint C. From C, we 
can get a subconstraint C' on variables in Var{T). Let Var(T) = {xi, . . . 
Assume without loss of generality that C' = Xn )^c ‘ ‘ ‘ '^C Xi )^c ‘ ' ' x\. 

Now we will use induction on C" to form 9. As the basis step, consider the 
first variable in C' . Since is the first variable, /3(x„) should not contain 
any item below Xn in C, implying that (3{xn) is composed of constants. Define 
^{Xn') P(.Xjf). 

Assume that 9{xj>) {j < f < n) is already defined. For variable xj-i, the 
following cases arise: 

1. P(xj-i) is composed of constants. In this case, define 9(xj-i) = P(xj-i). 

2 . P(xj-i) is composed of constants and some hx„,. (1 < * < n) where each 

hx„,. '^c Xj-i. Since x^i Xw^ )^c hx„,. '^c Xj-i. By the induction 

hypothesis, all these 9{xwi) already defined. Therefore, we can define 
9(xj-i) = repp (P{xj-i)) where the function reprp is defined as: 
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repp{a) = a, where a is a constant on Uh- 

repp{A ■ B) = repp{A)- repp{B), where A, B are terms on Sh- 
repp{hx^. (^))= repp{AY^^'“i\ where ^ is a term on Sh- 
it can be shown that s =aGtiH t iff repp{s) =£^ repp{t). Therefore, repp{P{xuJ) 
=£3 repp{hx^.{P{xv^))) for all 1 < i < n. So =£^ for all 

1 < i < n. Thus 0 is a solution for S. □ 

In the next section, we generalize Baader’s algorithm for unifiability check 
for AGnH to work with a linear constraint. 

4 Unification over AGnH with a Linear Constraint 

The unifiers of a unification problem wrt AGnH , where h\, . . . ,hn are the non- 
commuting homomorphisms, correspond to the solutions of (nonhomogeneous) 
linear equations over the polynomial ring Z<hi, . . . , hn> with /ii, . . . , as inde- 
terminates in the polynomial ring. The set of solutions of a homogeneous equa- 
tion p\Xi -I- ... -I- PkXh = 0, where pi, . . . ,pk G Z<hi, . . . , /i„>and Xi, . . . , X^ 
are variables, is a finitely generated right Z<hi, . . . ,hn ^semimodule. The non- 
homogeneous equation p\Xi -|- . . . +pkXk = po has a solution iff po is a member 
of the right ideal generated by pi, . . . ,pk- And, the membership problem for 
finitely generated right ideals is decidable. 

Let NHE be a set of linear equations {pnXi -I -|- pikXk = pi, 



PmlXi -t- * * * -f PmkXk — Pm\ 

where Pn,--- ,Pifc,--- ,Pmi,-“ ,Pmfc,Pi,--’ are in . . . , /i„> 

Baader [1] gave an algorithm for finding a solution for such nonhomoge- 
neous linear equations. In his algorithm, he first computes a weak Grohner basis 
G for a polynomial right ideal, then computes a right syzygy basis for homoge- 
neous linear equations, and finally, a particular solution for the nonhomogeneous 
equations by using G. The algorithm is nontrivial; we will not discuss the details 
here but suggest the reader to refer to [1] for details. Let tt = (gi, . . . , < 7 ^), where 
Tr{Xi) = Qi, be a particular solution for the above set NHE of nonhomogeneous 
equations obtained, for instance, using Baader’s algorithm. 

Let SB denote a right syzygy basis {(gn, • • • , qik), ■ • ■ , {qwi,- ■ ■ , qwk)} for 
the set HE ol the homogeneous equations 

{Pii -I- • • • -I- PikXk = 0, 



PmlX\ -t- ■ * * -f PmkXk — 0} . 
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Proposition 1. tt' = {q[, . . . is equivalent to tt with respect to SB and 
hence is also a particular solution iff there exist multipliers 6i, • • • ffw such that 
Qi- Qi = Qubi H 1- q-wibw for each I <i < k. 



4.1 Solutions Satisfying a Linear Constraint 

We discuss how a solution satisfying a linear constraint C, if any, is searched for 
among all solutions of NHE. 

Let zi,...,Zk be new indeterminates. Consider the following set MSB of 
polynomials in Z<hi, . . . ,hn, Zi, . ■ . , Zk> constructed from SB above: 

{zi qii + . . ■ + Zk qik, ■ ■ ■ ) Z\ q^i + . . ■ + Zk qwk}- 

Note that we only have to consider terms of the form Zj oj, where w € (7d(S))*, 
where 7i(S) = {hi,-- - Below, we define a right compatible ordering yt 

on such linear terms to capture linear constraint C in the following sense: if in 
a term ZjUij, hi >~c for each hi appearing in coj, whereas in another term 
Zj! ujj! we have some ffi in uiji such that Xji yc hr then Zj ojj At Zj/ ujj'. 

The ordering At is used to construct a strong Grobner basis GMSB for the 
set MSB of polynomials. The polynomial 7Tp = ziqi + . . . Zkqk corresponding 
to the particular solution tt above is then normalized using the Grobner basis 
GMSB. Since the equivalence relation induced hy MSB preserves solutions of 
NHE, the canonical (normal) form of 7Tp wrt GMSB also corresponds to a 
particular solution tt'. If this particular solution tt' satisfies G (i.e., all terms are 
good in the sense defined in the next subsection), then we get a unifier for the 
unification problem wrt AGnH satisfying G. If tt' does not satisfy G, then the 
unification problem wrt AGnH does not have a solution satisfying G, since a 
polynomial corresponding to a solution satisfying G must be smaller than the 
canonical form of TTp wrt A*. 

In the next subsection, we introduce how to define a term ordering At that 
capture linear constraint G. 

4.2 A Term Ordering Capturing Occur-Check Condition 

Among all possible solutions of nonhomogeneous linear equations, to search a 
solution that satisfies a given linear constraint C, we define below a right ad- 
missible term ordering in a radically different way. This is in contrast to term 
orderings including total degree ordering, pure lexicographic ordering, reverse 
lexicographic ordering and block ordering, typically used in the literature on 
Grobner basis computations. 

A linear constraint G on an extended alphabet 

where [Xi,. . .,Xk} Q {To, ■ • • ,T/} and [hi, . . . , /i„} C (oi, . . . , ai}, is written 
as: 

>~C >~C • ■ • ^2 ^0- 
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In the above, upper case symbols are used for variables, and lower case sym- 
bols are used for constants. Extra symbols are introduced to ensure that between 
every two variables, there is a constant in the ordering. 

Consider any two terms s, t in Z<hi, . . . , /i„, zi, . . . , Zk> which are linear in 
{zi , . . . , Zk}- Define s t iff nf{s^) >' nf{t^), where nf stands for the normal 
form wrt the reduction rules defined below to capture the linear constraint C. 
After defining nf and >', we show that is right admissible. 

The term nf{sff) is over the extended alphabet 

Z\i = {ai,...,a/,ui,...,u;,a'i,...,a;,zi,...,Zfc,zi,...,Zfc}, 

where the afs in Ai are copies of the corresponding afs in A; further, corre- 
sponding to every Xi in A, we have Zj, z' in Ai. 

Below, legal term, good term, and bad term are defined on {oi, . . . , o/, Zi, . . . , 
Zk} based on whether the term satisfies the linear constraint C. 

Definition 7. A term s = Zi Sa, where Sa € {oi,--- ,ai}* is ealled a legal 
term (only such terms appear in the polynomials in the basis MSB and in the 
computation of a Grobner basis from MSB). 

A legal term s = Zi Sa is called a good term if for each aj appearing in Sa, 
Oj )^c Xi in C, i.e., Sa satisfies the linear constraint C with respect to Xi. 

A legal term s = Zi Sa is called a bad term if there exists Oj appearing in Sa such 
that it is not the case that aj )^c Xi in C, i.e., Sa does not satisfy the linear 
constraint C with respect to Xi. (A legal term that is not good, is bad.) 

To capture the restrictions imposed by the linear constraint C on terms, we 
define the reduction rules on legal terms as: 
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The normal form of a legal term Zj Sa wrt the above rules is either 

(i) Zi Sa', where Sa' is obtained by systematically replacing every aj in Sa by 
a', or 

(ii) Sy Zi Sa', where Sa' is obtained from Sa as in (i) and Sy is a string of Vj’s. 

To compare nf{s)f) with nf{t)f) using the above reduction rules, we define 
the following ordering >' on symbols in Ai\ 

vi >' Zk >'...>' zi >' a[ >'...>' a'l 

This ordering is extended to terms over A\ using pure lexicographic comparison. 

Definition 8. Given two terms s = x\...Xm, t = y\ .. .pr on A\ and the 
alphabet ordering on A\ as defined above, we define s >' t iff t is a prefix of s 
or there exists a k such that Xk > yk and Xk> = yk' for all 1 < k' < k. Given 
two legal terms s,t on Ai, s >~tt iff nf{sff) >' nf{tff). 
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By the above reduction rules, the normal form of a bad term the normal form 
of a good term because only the normal form of a bad term has some Vj’s which 
are >' all a'’s and z-’s. The ordering clearly does not have the boundedness 
property. 

Below, we sketch a proof that the ordering on legal terms in Z<hi, ■ ■ ■ ,hn,~ 
Zi, ... ,Zk> is right admissible. 

For any s yf 1, it is easy to see that s 1. The following lemma ensures 
that if s t, then for any u, su tu, by proving that nf(s^) >' nf(t^) iff 
nf{su#) >' nf{tu#). 

Lemma 1. Let Ai, >' , and nf be as defined above. Then nf{sff >' 
iff nf(suf^) >' nf{tuff) for all legal terms s, t, su and tu. 

Proof-sketch: (i) If nf{sff) >' nfftff) then nf{suff) >' nf{tuff): To prove 
this, it is enough to prove that for any symbol Up in Ai, nf{sapff) >' nf{tapff) 
if n/(s#) >' nfftff). 

Since nf{sff) >' nf{tff), right multiplying by Op on both s and t could 
contribute either or Vpa'^ to the normal form of sOpff and tOpff. The only hard 
case is when nf{sff) contains Zi and nf{tff) contains Zj such that Xj )^c Xi 
(i.e., Xj is ‘more constrained’ than Xi) and in addition, Op )^c Xi and Up Xj. 
Right multiplying both sides by Op will contribute a'p to nf(sapff) and VpUp to 
nfftopff). But since nf{sff) >' nf{tf=) there must be some a, in s such that 
Oq Xi and the number of a^’s in s is larger than the number of Oq’s in t. Thus 
nf{sff) includes Vq whose power in nf{sff) is larger than its power in nf{tff). 
But since Op >~c Xi, Vq >' Vp. Thus nf(sapff) >' nf{tapff) since the terms are 
compared lexicographically. 

(ii) If nf{suff) >' nfftuff), then n/(s#) >' nfftff)-. This is easier since >' 
is a total ordering on terms. For a detailed proof, see [8] □ 

5 A Grobner Basis Algorithm for Right Ideals 

Grobner bases for polynomials over Z have been considered in for example 
[6], and more generally for polynomials over Euclidean rings. Here, we are 
interested in constructing Grobner bases for finitely generated right ideals in 
Z<Xi, . . . , Xn>, where Xi, . . . , X^ are the noncommuting indeterminates. In [I], 
Baader gave an algorithm for constructing weak Grobner bases for right ideals in 
Z<X\, . . . , Xn>. But in his algorithm only right compatible orderings with the 
boundedness property can be used to construct weak Grobner bases.® In [9], an 
algorithm for computing strong Grobner bases for right ideals in Z<Xi , ... , Xn> 
is given but that too is for right admissible term orderings with the boundedness 
property. In this section, we give an algorithm which can be used to construct 
Grobner bases for polynomial right ideals in Z<Xi , . . . , X„> based on any right 
admissible term ordering. 

For m,n € Z, we define the ordering follows: m ^ if either \m\ > |n|, 
or \m\ = \n\ and m < n. Thus —5 >-^ 5. 

® Recall that an ordering has the boundedness property if and only if for every 

element, there are only finitely many elements less than it in the ordering. 
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The set of terms we consider is the monoid W„ = {Xi, . . . 

Definition 9. A total ordering >- on Wn is called right admissible iff it satisfies: 

1. for any term t 1, t 1, and 

2. for any terms s, t, u, if s >- t, then s u >- t u . 

A right admissible ordering on terms can be extended to monomials as follows: 
Let a,b gZ and s,t G Wn- Then as >- bt iff 

1. s y t, or 

2. s = t and a b. 

Given an integer c, c induces an equivalence relation on Z as follows: a =c b 
iff there exists a ki such that a = ki * c + b where a,b,ki G Z. Using this 
equivalence relation =c, we define the remainders with respect to c as follows: 
Consider all equivalence classes induced by =c- From each equivalence class, the 
smallest element wrt is a remainder of c. For example, the remainders of 5 
are 0,1,— 1,2,— 2; 3 is not a remainder of 5; similarly, the remainders of 4 are 
0,1, -1,2. 

Let be a right admissible ordering and let / = at + 5 be a polynomial in 
Z<Ai, . . . ,Xn> such that t G Wn is the greatest term in / with respect to 
and a G .^\{0} is the coefficient of t in /. Then t is called the head term of /, 
denoted as HT{f)] a is called the head coefficient of /, denoted as HC{f)] a t 
is called the head monomial of /, denoted as HM{f), and g = f — a t is called 
the rest of /, denoted as R{f). 

A right-admissible ordering on monomials can be extended in the natural 
way to an ordering on polynomials by comparing head monomials first and 
if these are equal, recursively comparing the rest of the polynomials. Sets of 
polynomials can be compared using its multiset extension >^. Since is well- 
founded, are well-founded too. 

Definition 10. Given a set F of polynomials, for any f,g G Z<Xi , . . . , A„>, 
/ can be reduced to g wrt F , denoted by f g, iff 

1. f contains a term t with coefficient a, (i.e. f contains a monomial at). 

2. F contains a polynomial h such that t = FlT{h) ■ s for some s and a is not 
o remainder of FlCfh). 

3. g = f — b h s where a = b FlC{h) + c and c is a remainder of FIC{h). 

We use nfp{f) to denote a normal form of / with respect to -Gp- 

Lemma 2. Let F = {/i, . . . , /j,} be a set of polynomials. For any /i (1 < i < k), 

'^f fi ~^*F\{f } {f'i} generates the same right ideal as F. 

Proof. Based on the definition of reduction rules }> “ /i /c ^j) 

where fhj G So F’Xj/i} U {/'} generates the same right ideal as F. □ 

Algorithm 5.1: Grobner Basis Algorithm for Right Polynomial Ideals. 

In the beginning, Fq = {pi, . . . ,pm} and all pairs of indices are unmarked. 
Without loss of generality, we assume all HC{pi) > 0 (1 < z < m). Assume that 
Fk {k < 0) is already defined. If there is the zero polynomial 0 in Fk, we erase 
it. As long as there are f = Pi and g = Pj in such that: 




An E-unification Algorithm for Analyzing Protocols 177 



(a) (i, j) is not marked and 

(b) f = at + R{f) and g = btr + R{g) for a,b G , and t,r G we do the 
following: 

1 . a < b. Let b = c a + d for some c, d, where d is a remainder of a. Define 
gi=g — cfr = dtr + R{g) — c R{f) r. Reduce g\ to its normal form 
wrt Ffc. If HC{nfp^{gi)) > 0 , define g'^ = nfp^{gi). Otherwise define 
9i = -nfp^{gi)- Fk+i = {Fk U {g[} \ {5,0}). Since g = gi + c f r, 
Fk+i generates the same right ideal as Fk by Lemma 1 . Note that 
HM{g[) -< HM{g). 

2 . r yf 1 , a > 5 and b does not divide a. Let a = c b+d for some c, d, where 

d is a remainder of b. We define g\ = fr — cg = dt r + R{f) r — c R{g). 
Since d < b, g is reducible by 51. Let b = ci d + di where di is a 
remainder of d, and 52 = 5 ~ ci 51 . Reduce 51 , 52 to their normal forms 
9i = nfp^ (51) and 5^ = (52) wrt Fk - If HC{g{) > 0 , define 5" = 5}, 

otherwise define 5" = —5}. Similarly if HC{g'2) > 0 , define g'2 = g'2 and 
otherwise define g'2 = —g'2- Now F^+i = (^fc O {5", 52 }\{5, 0 }). In other 
words, 5 is deleted and non-zero normal forms are added to F^. Since 
5 = 52 + Cl 51, Fk+i generates the same ideal as Fk by Lemma 1 . 
Again, HM{g'^),HM{g'2) A HM{g) 

3 . r yf 1,0 > 6 and b divides a. That is, there exists c such that a = cb. 
Define gi = fr — cg = R{f) r — c R{g). Reduce 51 to its normal form 
wrt Fk- If nfp^(gi) > 0 , define 5} = 51, otherwise define 5} = —51. 
Define Fk+i = FkU {5}}. Since gi = f r — c g, Fk+i generates the same 
ideal as Fk by Lemma 1 . Mark (i,j)- Here FlT{gi) -< FlT{g). 

Note that there is no need to mark the pair in cases 1 and 2 , since 5 is deleted in 
both cases. For cases 1 , 2 , clearly Fk Fk+i- For case 3 , however, it is possible 
that Fk+i >>- Fk- It is easy to see that if p,q G Fk such that HT{p) = FlT{q), 
then due to case 1 above, eventually one of these polynomials will be deleted 
from the basis leaving at most one polynomial with any head term. 

Lemma 3 . Algorithm 5-1 terminates on any finite input basis of polynomials - 

Proof-sketch: The proof follows from two crucial insights: (i) a new polynomial 
added to a basis during the algorithm (due to any of cases 1 , 2 and 3 ) is smaller 
than the largest polynomial in the basis because its head term is lower than or 
equal to the head terms of the polynomials used in its generation, and (ii) the 
head term of any polynomial has only finitely many prefixes, and consequently, 
only finitely many new polynomials can be generated using any given polynomial. 

The proof is by contradiction. Consider a run of the algorithm starting with 
a basis Gq- Gq, Gi, • • • , G^, G^+i, • • • , where G^+i is obtained from Gi by one of 
the cases. 

Claim: There exists an i such that every basis Gu,i' > i, has the 
same largest polynomial, say fi (since the ordering is well-founded)); 
furthermore, no overlaps involving fi are considered subsequently, i.e., 
in all Gi>,i' > i- 
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It can then be shown that any Grobner basis of Gi \ {ft} when extended 
with fi is a Grobner basis of Gi. 

Repeat the above argument on Gi \ {fi}. The largest polynomial in Gi \ {fi} 
is lower in the ordering ^ than fi. This process must terminate because the term 
ordering is well-founded. This contradicts the assumption that the algorithm goes 
on forever. □ 

The correctness of the above Grobner basis algorithm is established by a 
series of lemmas, patterned after the proof in [1] using ideas from [6] to establish 
that the proposed algorithm indeed computes a strong Grobner basis for a right 
ideal over Z<Xi , . . . , X„>. Proofs had to be omitted because of space limitations; 
an interested reader can consult [8]. 

Lemma 4. Starting with a finite input basis G, let Algorithm 5.1 terminate in 
Gn by generating a sequence of bases G, Gi,...,G„. For any term t, if f = 
with HT{g^ai) < t, then f = J2g'.ec„ with HT(gia'f) -< t. 

Lemma 5. Starting with a finite input basis G, let Algorithm 5.1 terminate in 
Gn- Assume Gn = {giG ‘ ‘ j5m}- For any f €<G>, there exist polynomials 
ai,...,Gn such that f = l{* I HT{giai) = HT{f)}\ = 1. 

Lemma 6. Starting with a finite input basis G, let Algorithm 5.1 terminate in 
Gn- Assume G„ = {g\, • • • , gm}- Any polynomial f G <G> can be reduced to 0 
with respect to — • 

Theorem 4. Starting with a finite input basis G, let Algorithm 5.1 terminate 
in Gn by generating a sequence of bases G, Gi,...,G„. Then, Gn is a strong 
Grobner basis. 

The key idea in the proof is that for any two polynomials p\ and p 2 , if pi — P 2 
reduces to 0, then one of pi and p 2 are reducible by — 1 g„ • Further, the ordering 
>~z on Z satisfies the unique remainder property discussed in [6]. 

6 Conclusion 

Unification problems for theories admitting modular multiplication and exponen- 
tiation are discussed. As shown above, for theories that admit the distributivity 
property of exponentiation over multiplication, unifiability checks are undecid- 
able. However, if this property is excluded, then unification algorithms for var- 
ious restricted theories, depending upon properties of exponentiation used, can 
be obtained. In most cases, these algorithms are of high complexity. 

In order to integrate these unification algorithms into the NRL Protocol An- 
alyzer (NPA) and effectively use them for cryptographic protocol analysis, it will 
be useful to further specialize these algorithms so as to keep their complexity 
manageable in practice. That is likely to be the main challenge in investigat- 
ing the effectiveness of the approach proposed in [13]. This issue needs further 
investigation. 




An E-unification Algorithm for Analyzing Protocols 179 



References 



1. F. Baader. Unification in Commutative Theories, Hilbert’s Basis Theorem, and 
Grobner Bases. J. ACM, 40 (3), 1993, 477-503. 

2. F. Baader and W. Nutt. Adding Homomorphisms to Commutative/Monoidal The- 
ories, or: How Algebra Can Help in Equational Unification. Proc. Inti. Conf. 
on Rewriting Techniques and Applications (RTA 91), LNCS 488, 1991, 124-135. 

3. F. Baader and K.U. Schultz. Unification in the Union of Disjoint Equational 
Theories: Combining Decision Procedures. Proc. 11th Conference on Automated 
Deduction (CADE-11), Saratoga Springs, NY, Springer LNAI 607, 1992, 50-65. 

4. J. Clark and J. Jacob. A Survey of Authentication Protocol Literature: Version 
1.0. Unpublished Technical Report, Department of Computer Science, University 
of York, UK, Nov 1997. Available at the URL: 

www-users . cs . york. ac .uk/~ jac/papers/drareviewps .ps. 

5. M. Davis. Computability and Unsolvability. Dover Publications, 1982. 

6. A. Kandri-Rody and D. Kapur. Computing the Grobner Basis of a Polynomial 
Ideal over Integers. Proc. Third MACSYMA Users’ Conference, Schenectady, NY, 
July 1984, 436-451. See also A. Kandri-Rody and D. Kapur. An Algorithm for 
Gomputing the Grobner Basis of a Polynomial Ideal over an Euclidean Ring. Jour- 
nal of Symbolic Computation, 6 (1), August 1988, 37-57. 

7. D. Kapur, P. Narendran, and L. Wang. A Unification Algorithm for Analysis 
of Protocols with Blinded Signatures. TR 02-5, Department of Gomputer Science, 
SUNY, Albany, NY. To appear in the Festschrift for Jorg Siekmann (Dieter Hutter, 
Werner Stephan, eds.), Lecture Notes in Artificial Intelligence 2605, Springer. 

8. D. Kapur, P. Narendran, and L. Wang. Analyzing Protocols that use Modular 
Exponentiation: Semantic Unification Techniques Technical Report, Department 
of Computer Science, SUNY, Albany, NY. An expanded version of this paper. 

9. K. Madlener and B. Reinert. On Grobner bases in Monoid and Group Rings. SEKI 
Report SR-93-08, Universitat Kaiserslautern, Germany. 

10. G. Meadows. The NRL Protocol Analyzer: An Overview. J. Logic Program- 
ming, 26(2), 1996, 113-131. 

11. G. Meadows. Analysis of the Internet Key Exchange protocol using the NRL 
Protocol Analyzer. In: Proc. the 1999 Symp. on Security and Privacy, IEEE. 

12. G. Meadows, P. Syverson and I. Cervesato. Formal Specification and Analysis 
of the Group Domain of Interpretation Protocol using NPATROL and the NRL 
Protocol Analyzer. To appear in the Journal of Computer Security. 

13. G. Meadows and P. Narendran. A Unification Algorithm for the Group Difiie- 
Hellman Protocol. Workshop on Issues in the Theory of Security (WITS 2002), 
Portland, OR, Jan 2002. 

14. P. Narendran. On solving linear equations over polynomial semirings. In: Proc. 
11th Annual Symp. on Logic in Computer Science (LICS), NJ, July 96, 466-472. 

15. P. Narendran, F. Pfenning, and R. Statman. On the Unification Problem for 
Cartesian Closed Categories. Journal of Symbolic Logic, 62 (2), June 97, 636-647. 

16. O. Pereira and J.-J. Quisquater. A Security Analysis of the Cliques Protocols 
Suites. Proc. Ifth IEEE Computer Security Eoundations Workshop, June 2001. 

17. R.L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signa- 
tures and Public Key Cryptosystems. CACM 21 (2), 1978, 120-126. 

18. G. Simmons and C. Meadows. The Role of Trust in Information Integrity Protocols. 
Journal of Computer Security 3 (2), 1994. 

19. S.G. Stubblebine and G. Meadows. On Searching for Known and Chosen Cipher 
Pairs using the NRL Protocol Analyzer. Presented at the DIMACS Workshop on 
Design and Formal Verification of Security Protocols, September 1997. 




Two-Way Equational Tree Automata 
for AC-Like Theories: 
Decidability and Closure Properties* 



Kumar Neeraj Verma 

LSV/CNRS UMR 8643 & INRIA Futurs projet SECSI & ENS Cachan, France 
vermaSlsv . ens-cachan . f r 



Abstract. We study two-way tree automata modulo equational theo- 
ries. We deal with the theories of Abelian groups (ACUM), idempotent 
commutative monoids (ACUI), and the theory of exclusive-or (ACUX), 
as well as some variants including the theory of commutative monoids 
(ACU). We show that the one-way automata for all these theories are 
closed under union and intersection, and emptiness is decidable. For two- 
way automata the situation is more complex. In all these theories except 
ACUI, we show that two-way automata can be effectively reduced to 
one-way automata, provided some care is taken in the definition of the 
so-called push clauses. (The ACUI case is open.) In particular, the two- 
way automata modulo these theories are closed under union and intersec- 
tion, and emptiness is decidable. We also note that alternating variants 
have undecidable emptiness problem for most theories, contrarily to the 
non-equational case where alternation is essentially harmless. 



1 Introduction 

Tree automata [4,2] enjoy many good properties: emptiness is decidable, the 
class of recognizable languages is closed under Boolean operations notably. This 
extends to so-called two-way tree automata, where transitions may not only 
construct terms as in ordinary tree automata (call them one-way to distinguish 
them from two-way automata), but also destruct terms (see [2], Chapter 7, Al- 
ternating Tree Automata). The presence of these latter transitions sometimes 
make two-way automata more convenient to work with than one-way automata, 
although they are equally expressive. 

A recent and important extension of the tree automata concept is that of 
equational tree automata [8,12] which recognize terms modulo an equational 
theory. Until now, all results on equational tree automata have been concerned 
with one-way automata only, see table below. The purpose of this paper is to fill 
this gap. 

* Partially supported by the ACI “cryptologie” PSI-Robuste, ACI VERNAM, the 
RNTL project EVA and the ACI jeunes chercheurs “Securite informatique, proto- 
coles cryptographiques et detection d’intrusions” . 
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one-way 


two-way 


non- 

equational 


emptiness decidable, 
closed under U, fl, C 


[4,2 


emptiness decidable, 

[ closed under U, fl, C, 
reduce to one-way automata 


[2, 


equational 


[8,9,12,13]. 

(see related work section.) 


This work. 



More specifically, we study the notion of two-way equational tree automata, 
modulo several theories extending the theory ACU of one associative, commu- 
tative operation -|- with unit 0, which is defined by the axioms (A) x+{y + z) = 
(x+y) + z, (C) x+y = y+x and (U) x-|-0 = x. These theories will be obtained by 
adding axioms to the base theory ACU, taken from the following: idempotence 
(/) X + X = X, the xor axiom (X) a: -I- x = 0, more generally the cancellation 
axiom (X„) nx = 0 (where nx denotes x + x + . . . + x)] the minus axiom (M) 
X + {—x) = 0, where — is an additional unary symbol; and the minus distribu- 
tivity axioms {D) — {x + y) = {—x) + {—y), —{—x) = x, —0 = 0. We name a 
theory by the names of its axioms; e.g., ACUM is the theory of Abelian groups. 
Note that D is implied by ACUM, so ACUD is a (strictly) weaker theory than 
ACUM. Except for the axiom — (— x) = x, the theory ACUD resembles the 
theory ACUh {ACU with homomorphism) considered in some papers. 

We first show that modulo ACU, ACU I, ACUD, ACUM (Abelian groups), 
ACUX (the theory of exclusive-or) , and ACUXn, the one-way automata are 
closed under intersection, union, and emptiness is decidable. In particular mem- 
bership is decidable since trivially, the equational closure of a singleton set is 
accepted by our one-way automata. The hard part is in showing closure under 
intersection; this is in particular much more involved than in the non-equational 
case, although the technique we use can be thought of as a kind of souped-up 
product construction. 

As far as two-way equational tree automata are concerned, we show that 
modulo all theories E above except ACU I, they are exactly as expressive as the 
corresponding one-way automata, and we describe effective reduction processes 
from two-way to one-way automata modulo £. (The ACU I case is currently still 
open.) For these reductions to work, and in fact for any reduction from two-way 
to one-way automata to work, special care has to be taken in the definition of 
the so-called push clauses, which are the kinds of transitions that are added in 
the two-way case compared to the one-way case. Indeed, we show that, had we 
been more sloppy, then emptiness of two-way automata modulo ACU, ACUD, 
ACUM would have been undecidable. We also show that the emptiness question 
for the alternating variants of one-way automata modulo the latter theories are 
undecidable, too. This is in sharp contrast with the non-equational case, where 
emptiness is decidable for alternating, two-way tree automata. 

Two-way tree automata have recently been used for verification of crypto- 
graphic protocols [6,11]. While they work in the case of perfect cryptographic 
primitives, more complex primitives with additional algebraic properties need 
to be modeled using equational theories. Two theories that occur often are the 
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theories of exclusive-or and Abelian groups. This is not the topic of this paper 
and won’t be pursued here. 

Plan. After some material on related work, we define our one-way and two- 
way equational tree automata in Section 2, discussing basic properties and some 
undecidability results. To deal with decidable cases, we start with some easy 
results in Section 3, which shall form the basis for the rest of the paper; in 
particular, we show that the so-called constant-only one-way ACU automata 
recognize exactly the semilinear sets. These results are used in Section 4 to 
compute intersections of one-way automata modulo ACUX. From there, we 
deduce a procedure to convert two-way ACUX automata to one-way ACUX 
automata in Section 5; we also discuss generalizations to the theory ACUX^ 
for any n > 2. The results and proofs in the Abelian groups case (ACUM) are 
exactly as in the ACUX case, as we argue in Section 7. This however requires us 
to first deal with the constant-only ACUD case in Section 6. The general ACU 
and ACUD cases are simplified versions of the ACUX and Abelian groups cases 
respectively and are dealt with in Section 8. Lastly we show that intersections 
of one-way ACU I automata are also computable in Section 9, and discuss why 
translating two-way ACU I to one-way ACU I automata is troublesome. We 
conclude in Section 10. 

Related work. The multitree automata of Lugiez [9], which extend his earlier 
work [8], correspond to our one-way ACU automata but with a much richer 
set of constraints including equality constraints, still keeping decidability, and 
are closed under boolean operations. This is incomparable to ours: our two-way 
automata cannot avoid undecidability in the presence of equality constraints. 
Ohsaki [12,13] considers a larger framework of (one-way) £ tree automata, where 
£ is an equational theory. Ohsaki’s regular £ automata coincide with our one- 
way £ tree automata when £ is linear (like AC, ACU), but this does not hold in 
all theories. For example, in Ohsaki’s case, with transition rules a ^ q, b ^ q, 
q-\-q ^ q' and 0 — >■ q', and with the theory ACUX, we have a-\-b — >■* q' . In our 
case, with the corresponding clauses q{a), q{b), q'{x-\-y) q{x)/\q{y) and (?'(0), 

and with the theory ACUX, a-\-b is not accepted at q' . For arbitrary £ we do not 
know the relationship between our automata and Ohsaki’s automata, and the 
two notions appear rather dissimilar. The multiset automata of Colcombet [1] 
correspond to the subclass of our one-way ACU automata in which all symbols 
other than -|-,0 are unary. Note that the specific theories ACUX, ACUM, etc., 
that we consider here have traditionally not been considered in the framework of 
(one-way equational) tree automata; they give rise to specific technical problems 
and solutions. The notion of alternating two-way AC tree automata will be 
treated in detail in [7], which also considers some additional push clause formats 
which are not relevant in this paper. 
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2 Two-Way £-Tree Automata 



Fix a signature S of function symbols, each coming with a fixed arity, and let £ 
be an equational theory, inducing a congruence =s on the terms built from S. 
We will use clauses of first order logic as a general means of representing various 
classes of automata. 

A definite clause is an implication of , , , , . s . ^ 

thefim; P(() P.ti) A ... A P„((„) (1) 

where P, are predicates and are terms built from S and 

variables. Given a finite set C of such definite clauses we define derivations of 
ground atoms using the following two rules: 



Pl(tl<T)...Pn(t„<r)7 






if P(t) <= Pi(ti) A ... A P„(t„) G C 



~TW- 

.Pill 



if s =£ t 



where cr is a ground substitution. Thus a derivation is a tree-like structure, which 
should not be confused with the trees which are the terms built from S. The 
connection of definite clauses with automata is as follows: predicates are states, 
finite sets of definite clauses are automata, and an atom P{f) is derivable using 
C, iff the term t is accepted at state P in the automaton C. The derivations using 
C are sometimes called runs of the automaton C. It is also easy to see that the 
set of derivable atoms is exactly the least Herbrand model of the set of clauses 
modulo £. 

The language HpiCjS') is the set of terms t such that P{t) is derivable. 
When £ is the empty theory, we shall call it Cp{C). If in addition some state 
Pf is specified as being final then the language accepted by C will be C{Cj£) = 
Cpf{CI£). Given a language C and an equational theory £, £{£) denotes the set 
of terms t such that t =£ s for some s G C. A state or an automaton is called 
empty if it does not accept any term. 



We will be especially in- 
terested in the following 
kind of clauses which we 
shall call pop clauses, ep- 
silon clauses and general 
push clauses respectively. 



P{f{xi, ..., Xn)) <= Pl(xi) A ... A P„{xri) (2) 
P{x)-^Pfx) (3) 

P{xi) Qifixi , ..., x„)) A Pi(a:ii) A ... A Pk{xif), (4) 

1 < i,ii, ...,ik < n 



In both clauses (2) and (4), the variables xi,...,Xn are distinct. We define 
one-way automata as consisting of clauses of kind (2) and (3), whereas general 
two-way automata in addition contain clauses of kind (4) . We shall see that the 
general push clauses are problematic, hence we shall consider restricted forms 
called push clauses below. Our one-way automata (without equations) are ex- 
actly the classical tree automata usually described in the literature. Glauses 2 
and 3 correspond to transition rules /(Pi, ..., P„) — >• P and Pi — >■ P of classical 
tree automata. Note that the ‘two-way automata’ of [15] are a different notion 
from ours. The following result is an easy consequence of the above definitions, 
and is shown by induction on the derivations. 



Lemma 1. For any one-way automaton C and equational theory £, Lp{C/£) = 
£{Lp{C)). In particular emptiness of one-way £ tree-automata is decidable. 
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The result does not hold for two-way automata in general. 

We will sometimes need extended 

epsilon clauses: P(x) 4= Q{x) A Pi(a;i) A ... A P„(a;„) (5) 

where the variables x,x\, ...,cc„ are distinct. Intuitively, this is an epsilon clause 
P{x) 4= Q{x) together with emptiness tests on the states Pi,...,P„. We have 
the easy: 

Lemma 2. For any one-way automaton C which in addition contains clauses 
(5), we can compute a one-way automaton C such that for each P, Cp{C/£) = 

Cpic'ie). 

Proof. Lemma 1 trivially extends to one-way automata with extra clauses (5), 
hence emptiness is decidable. Then remove all clauses (5) where some Pi is empty, 
1 < i < n, and remove all Pi{xi), 1 < i < n, from the remaining clauses (5). □ 

Since we are dealing with theories extending ACU , we assume that S con- 
tains symbols -I-, 0 and in case of equations D or M the symbol — . Note that 
we do not deal with the case of S containing several -I- (resp. — ,0) symbols. 
Symbols in Sf = S \ {-I-, — , 0}, are called free. Free symbols of zero arity will 
be called constants. Terms of the form f{ti,...,tn) where / is free are called 
functional terms. Accordingly the pop and push clauses in our automata will be 
of the following form: 

P(a; -I- y) 4= Pi(a;) A P 2 (y) (6) P(a) where a is a constant (8) 

P(0) (7) P{-x)^Pi{x) (9) 

P{f{xi,...,Xn)) <= Pi{xi) A ... AP„(x„),/ being free (10) 
7 • ■ • ; ^nf) A ) A . . . A 

/ being free, i G {1, ...,n} \ {ti, ...,ifc}, 1 < ii < ... < Zfc < n 



While clauses (6)-(10) are pop clauses, we call (11) push clauses. The side con- 
ditions in (11) will be discussed at the end of this section. 

Clauses (8) are special cases of clauses (10). Also the general push clause 
P{x) 4= Pi(— x) is equivalent to (9) in the theories ACUM and ACUD. One- 
way ACU (resp. ACUI, ACUX, ACUX^) automata are sets of clauses (3), (6- 
8) and (10); one-way ACUM and ACUD automata in addition contain clauses 
(9). We define two-way automata by adding clauses (11) to one-way automata: 
hence two-way automata are sets of clauses (3) and (6-11) — with the proviso 
that (9) is only included when — G A. Constant-only automata are one-way 
automata which contain clauses (8) instead of the general clauses (10) (the only 
free symbols in the signature are constants.) Given a two-way automaton C we 
define Cone-way to be the part of C without clauses (11). Also, given a one-way 
or two-way automaton C, we define Ceq to be the part of C with clauses (3), (6), 
(7) and (9) (the equational part), and Cfree is the remaining part. 

The languages accepted by all our one-way or two-way automata are triv- 
ially closed under unions. As we have already dealt with emptiness of one-way 
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automata (Lemma 1), we shall concentrate on intersection and reduction of two- 
way to one-way automata. 

Negative Results. It is instructive to first consider constant-only ACU automata 
extended with alternation clauses of the form P{x) <;= P\{x) A P 2 {x). Then it 
is easy to encode reachable configurations of 2-counter automata M [10] using 
ACU automata (see [7].) It is not our purpose to replay the arguments of [7]. 
Instead here is the idea. We encode configurations q{m, n) of M by atoms q{{x + 
m)ai + xa 2 + {y + n)bi + j/62) for x,y > 0. To increment m we add oi and to 
decrement, we add 02. Zero tests are done by alternation clauses, e.g., if M allows 
moving from state q to q' when m = 0, then we write a clause q'{x) <= q{x) A 
zeroi(x) where zeroi accepts all terms of the form xa\ + xa 2 + {y + n)bi + yb 2 - 
As reachability of states in two-counter automata is undecidable, emptiness of 
constant-only ACU automata with alternation clauses is undecidable. The same 
can be proved for ACUM and ACUD theories. 

Now the above alternation clause can be coded as Q{f{x)) <^= Pi{x),P{x) ^ 
Q{f{x)) A P 2 {x) for fresh Q. Accordingly, emptiness of constant-only ACU, 
ACUM, ACUD automata with general push clauses is undecidable. This jus- 
tifies the side-conditions i € {1, ...,n} \ {ii, ...,ik}, 1 < ii < ... < ik < n in 
( 11 ). 

Note that we don’t study au- 
tomata with -|--pMs/i cZartses: P(x) ^ Pi(x + y) A P2(y) (12) 

In the ACUX case, this has no impact as (12) is equivalent to (6). In the 
ACUM case (12) can be coded as P{x + y) Pi{x) A Q{y),Q{—y) ^2(2/)- 

In the ACU and ACUD cases, they strictly increase expressiveness as they at 
least encode Petri nets; this is postponed to a later paper. 

Finally adding equality constraints between brothers, i.e. dropping the con- 
dition that the free variables in the pop clauses should be distinct, also leads to 
undecidability: the alternation clause above can be coded as P{x) <^= Q{f{x,y)), 
Q{f{x,x)) Pi{x) A P 2 {x) for fresh Q. 

3 Starting Up: The Constant-Only ACU Case, 
and an Easy Lemma 

In this section, we recall some important results on constant-only ACU automata 
which will be useful throughout the paper. If the set of constants in the signa- 
ture is Sf = {oi, ...,Op} then modulo ACU, the ground terms are of the form 
X^r=i with Ui G N: equivalently p-tuples of natural numbers. Recall that a 
linear set is a set of the form {v + n\Vi + ... -|- UkVk \ n\, ...,nk G N} for some 
v,vi, ...,Vk G A semi-linear set is a finite union of linear sets. The semi-linear 
sets are exactly the sets definable in Presburger arithmetic [5] . In particular they 
are closed under union, intersection, complementation and projection. We have 
the following result, also shown in [7] and corresponds to Corollary 6 of [13]. 

Lemma 3. Constant-only ACU automata accept exactly semilinear sets. 
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Proof. The proof uses Parikh’s Theorem [14] which states that the commutative 
image of any context-free language is semi-linear, and in fact effectively so, to- 
gether with the observation that the clauses (3), (6), (7) and (8) modulo ACU 
constitute exactly a context-free grammar modulo commutativity. □ 

To prepare ourselves, we need another special property of ^CCZ-automata 
which allows us to ‘reuse’ parts of derivations. This will be required very often 
in the paper. 




Fig. 1. Reuse of ACU derivations 



Lemma 4. Let £ he any set of equations containing ACU. Consider a derivation 
6 of an atom P{t) modulo £. Let Si,...,Sn be non-overlapping subderivations of 
S such that outside the Si ’s, the only equations used are ACU and the set S 
of clauses used contains only clauses of kind (3), (6) and (7) (see Figure 1.) 
Suppose the conclusions of Si, ...,Sn are Pi(ti), ..., Then 

u t =ACU tl + ■■■ + in 

2. Lf there are derivations S'i,...,5'.^ of atoms Pi{si), ..., P„{s„) modulo £ then 
there is a derivation S' of P{s\ ... Sn) modulo £, containing S''s as 
subderivations, such that outside the i5' ’s, the only equations used are ACU , 
and all clauses used belong to S. 

Proof. The first result follows from induction on S. For the second, we replace the 
subderivations 5i, ..., by those of Pi(si), ..., Pn{sn) respectively. The atoms in 
the rest of the derivation need to be appropriately changed, keeping the clauses 
and equational rewritings applied at each step to be the same. □ 

The following definition gives one way of computing such Si’s and Pi(ti)’s: 

Definition 1. Consider a derivation S of an atom P{t) in a one-way automaton 
modulo ACU. Let i5i,...,(5„ be the set of maximal subderivations of S in which 
the last step used is an application of clause (10) (or clause (8)). Suppose the 
conclusions of S\, ...,Sn are Pi (ti ),..., P„(t„) (in which case ti,...,t„ must be 
functional.) Then we will say that the (unordered) list of atoms Pi(ti), ..., P„(t„) 
is the functional support of the derivation S. (From Lemma ) we have t =acu 
t\ tn.) 
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4 One-Way ACUX Case: Closure under Intersection 

Consider a one-way ACUX automaton C with predicates from some finite set P. 
We introduce new predicate symbols (P, Q) and (P, Q) for each P, Q G P, and 
sets of constants S\ = {ap^q | P, Q G P} and S 2 = {bp,q | P, Q G P}. The order 
of P, Q in all these is ignored. Instead of intersecting two distinct automata, we 
compute an automaton Cmter in which state (P, Q) represents intersection of P 
and Q for all P, Q. (P, Q) accepts the functional terms among the terms accepted 
at {P,Q). 

Consider the automaton C*^ = Ceq U {P{ap^q) , P{hp^q) | P, Q G P}. The idea 
in defining and Cp^q^s,T is to compute all possible derivations using clauses of 
the equational part. The ap^q’s and &p,g’s act as ‘abstractions’ for the functional 
terms accepted at both P and Q. 

From Lemma 3 Cp{C*^/ACU) is a semilinear set for every P. For each S C 
S 2 , we define to be the set of those t G £p{C*g/ACU) such that each 
constant in S occurs in t a positive and even number of times and no constant 
from S '2 \ S' occurs in t. This operation is clearly Presburger-definable, and hence 
Lp^s is also a semilinear set. Define L'p g to be the language obtained from £p,s 
by deleting all symbols of S 2 , i.e., taking the image of £p,s under the projection 

Y.i,j^ijO-Pi,Qr ^'p,s is again a semilinear 
set. Given P, Q G P and S,T C S 2 , clearly £'p g fl C'q j. is a semilinear set. By 
Lemma 3, we can construct a constant-only automaton Cp^q^s,T with final state 
Pp,Q,s,T such that C{Cp^q^s,T / ACU) = L'p g (iL'q p. We assume that automata 
Cp,Q,S,t’s are built from mutually disjoint sets of (fresh) states. 

The required automaton Cinter has the following clauses: 

— for each P, Q G P and each S', T C S 2 , the extended epsilon clause (P, Q){x) <^= 

Fp,q,s,t{x) a /\b^ ^,eSuriF, R'){xr^r>). 

— clauses (3), (6) and (7) (but not (8)) from each Cp^q^s,T- 

— for each clause P(apyp") in some Cp^q^s,T, the clause R{x) <^= (P',P")(x). 

— for each pair of clauses P{f{xi , ..., x„)) <^= Pi(xi) A ... A Pn{xn) and Q{f{xi, 

. . . , Xti) ) ^^ 1 ( 3 : 1 ) A ... A Qn(^Xfi^ in Cj^reej the clause (P, t^)(y’(xi, ..., Xj^)) 

{Pi,Qi){xi) A ... A (P„,Q„)(x„). 

If t =ACUX t' then we must have t =acu ti + ... + tm+ui + vi + ... + Un + Vn, 
t' = t[ + ...+t'^ + u[ + v[ + ... + Up + Vp, ti,tijUi,UpVi,v[ being functional, such 
that ti =ACUX tpUi =ACUX =ACUX v'p The a’s act as abstractions for 

the tiUi’s and the b’s for the Ui,Vi,Upv[’s. This is the reason we delete the b's 
from Cp^Si representing the cancellations using X. Even though we can forget 
the actual values of Mpu^’s, we need to be sure that there exist some terms to 
fill their place: this is the reason for the emptiness tests in the extended epsilon 
clauses of Cinter - In this way we take care of the non-linearity and cancellation in 
the equation x -I- x = 0 using some kind of intersection-emptiness tests, and the 
remaining equations are dealt with using the results on ACU automata. This is 
made precise by Lemmas 5 and 6. 
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Lemma 5. If P{t') and Q{t”) are derivable in C modulo ACU and t' =acux t" > 
then for some t =acux t' , {P, Q){t) is derivable in Cmter modulo ACU . 



Proof. By induction on the sum of the sizes of the derivations of P{t') and 
Q{t”). The derivations of P{t') and Q{t”) must have functional supports of the 
form .,/„«),/;,«) and ), 

Jiiv'l), Jp{Vp), J”{v”) respectively such that t- =acux t”, u- =acux 
u'l and w' =acux v'f respectively. From Lemma 4, P{ap^^Q^ + ... + + 

2&/i ,/(+•••+ 26/„ ,/J and Q (api + ... + ap„ + 26 _ j/ +... + 26 jp ) are deriv- 

able in C*g modulo ACU. Let S = {6pyj, 6/„,/;} and T = {bj^^j^, ...,bj^^j^}. 



Fp^Q,S,T(apj^^Q^ 

have t' = fi(fi 



./I 

i ’ ■ 



0‘Pm,Qm) is derivable in Cp^q^s.t modulo ACU. We must 
t'l = i'i =ACUX the derivation 

of Pift'f) must use a clause Pi{fi{x\, ...,Xkfj) <^= P/(xi) A ... A P^*{xkJ and the 
derivation of must use a clause Qi{fi{x\, ..., Xkf)) Q\{xi)/\.../\QC {xkfj. 

By induction hypothesis, we must have tl =ACUX t'/ so that {Pi,Ql){tl) is 
derivable in C modulo ACU. Let ti = fi{t\,...,t^'). iPi,Qi){ti) is derivable in 

C modulo ACU using the clause {Pi,Qi){fi{xi, ...,Xxi)) {P^ ,Qj){xl) A ... A 

Let the derivation of Pp,Q,s,T{ap^,Q^ -I- ... -I- ap„.Q„,) in Cp^q^s.t 



have functional support Ri{aPi,Qi), ■■■,Rm{o,p^,Q^). Then clauses Ri{x) 

<^= {Pi, Qi){x) are in Cinter- Hence Ri{ti), ..., Rm{tm) are derivable in Cmter mod- 
ulo ACU and from Lemma 4, Fp,q,s,t(6i + +tm) is derivable in Cmter modulo 
ACU. Let the required t be ti -I- ... -I- tm- Also by induction hypothesis we must 



have Uj =acux Uj,Vk =acux v'k such that {Ij,Ij){uj) and (J^, J^)(ufc) are 
derivable in Cmter modulo ACU for 1 < j < n and 1 < fc < p. Using the 
clause (P,Q){x) <J= Fp,q,s,t{x) A /\h^ ^,,^sut(P'’ S^i' ^ derivation 

of {P, Q){t) in Cinter modulo ACU. Also it is clear that t =acux t' . □ 



Lemma 6. For P,Q if {P,Q){t) is derivable in Cmter modulo ACU then 
for some t' =acux t" =acux t, P{t') and Q{t") are derivable in C modulo 
ACU. 

Proof. There must be some S,T C S 2 such that Fp^Q^s,T{t) is derivable in Cmter 
modulo ACU (with a strictly smaller derivation), and terms tp,p' for each bp^pr 
in S UT, such that {R, R'){tp^p>) is derivable in Cmter (with a strictly smaller 
derivation). From induction hypothesis we get terms t'p p, =acux t'p p, =acux 
tp.R' such that: 

R{t'p p,) and R' {tp p,) are derivable in C mod ACU, for each bp^p> in S'UT. (*) 
From the definition of Cmten the derivation of Fp q s t{F) must have a functional 

support of the form {R'^,R'l){t\), ...,{R'm,Rm){^m) for some m > 0, and the 
clause occurring immediately above the derivation of {R{, R”){ti) must be of the 
form Ri{x) <^= (i?', R'f){x). Then the clauses Ri{apqp") are in Cp^q^s.t (1 < f < 
to). From Lemma 4 Tp.Q_S,p(ap' _p"-|-...-|-ap'^^p/^) must be derivable in Cp^q^s,T- 
So ap' ^p" + ... + ap/^^pi^ G C'p p. Therefore we must have bj^j' , ..., 6/„y^ € S{n > 
0) such that + ... + -I- 26p /j -I- ... -I- 26/^y^ G Cp{Cl^/ ACU). 




Two-Way Equational Tree Automata for AC-Like Theories 



189 



Since each ti is functional, there are such that ti = 

and the derivation of {R'^, R'-){ti) in Cmter uses as last clause 

...,XkJ) corresponding to clauses 

...,XfcJ) <^= i?'Hxi)A...Ai?f‘(xfeJ and i?"(/i(xi, XfcJ) R'l^{xi)A 
... A R'-'^*{xki) of Cfree- Then {R'/ , R'-^){t{) must be derivable in Cmter using 
derivations strictly smaller than that of (P,Q){t). Hence by induction hypothe- 
sis, we have =acux =acux such that R'f R”^ are derivable 
in C modulo ACU. Let t' = tf*) and t” = t'""*). R[{t[) is 

derivable in C using the clause R[{fi{xi, ...,XkJ) <= R'^{xi) A ... A 
Similarly R'/{t") is derivable in C. 



Now the derivation of + ... + + ... + in 

C*g must have a functional support of the form R\{aR/^ R/^), ..., Rl^{aRi^^Rr^), 

lKbh,i[), ..., iKbi^j^), where R\ G {R'„R'{} and lj,lj G 

{/j,/-}. Since each &/.j/ G S, by (*) ^,) are derivable in C mod- 

ulo ACU. Recall that R[{t[) , R” it”) are derivable in C modulo ACU. So from 
Lemma 4 P{t\ + ... + j, + j, + ... + j, + j, ) is derivable in 

C modulo ACU, where t] G and r G {t^ i'Ar /'}• Let the re- 
quired t' be 4 + ••■ + + 4it; + 4i.q + ■■■ + 4„,7; + 4„,7;)- Then t =acux t' 

and P{t') is derivable in C. Similarly we can find t" such that t =acux t” and 
Q{t") is derivable in C. □ 



From Lemma 1, CpiCjACUX) n £q(C/HCC/X) = C(^p^Q){CmterlACUX) 
for P,Q G F. The extended epsilon clauses can be eliminated using Lemma 2. 
Hence: 



Theorem 1. One-way ACUX automata are closed under intersection. 



5 Two-Way ACUX Case: Translation to One-Way ACUX 

Consider a two-way ACUX automaton C with predicates from P. To convert 
it to a automaton, we describe a saturation procedure which adds new epsilon 
clauses till the push clauses become redundant. The idea is that if any push 
clause is ever used then the corresponding free functional symbol must have 
been introduced by some pop clause. But the clauses from Ceq might have been 
used inbetween to add new terms, which eventually get canceled using X to 
leave only one functional term. Below, the b’s act as abstractions for the terms 
that are canceled, and a’s for the terms which remain. 

We introduce new sets of constants S'! = {ap | P G P} and S 2 = {^p,q | 
P,Q G P}. We do not distinguish between bp^g and 6g,p. We define C*^ = 
Ceq U {P{ap) I P G P} U {P(6p,g) | P, Q G P}. Cp{C*g/ACU) is a semilinear 
set for every P. For P,Q G F and S C S 2 , define Cp,Q^s,C to be the set of 
t G Cp{Clq/ACU) such that 

— og occurs in t exactly once 
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— 'iQ' ^ Q-aqi does not occur in t 

— each constant in S occurs in t a positive and even number of times 

— no constant from S '2 \ S' occurs in t. 

Clearly £-p^q^s,C is also semilinear because it is Presburger-definable. In par- 
ticular, we can effectively check its emptiness. 

If C has a push clause R{xi) <^= P{f{xi,...,Xn)) A Ri(xi^) A ... A Rk{xi^), a 
pop clause Q{f{xi , ..., x„)) Qi{xi), ..., Qn{xn), and there is a set S C S 2 such 
that 



— ^P,Q,S,C 0 

— ybQ'^Q" £ S.3t. both Q' and Q" accept t in Cone-way modulo ACUX 

— Vj G {1, ..., k}3t. both Qi^ and Rj accept t in Cone-way modulo ACUX 

Vj G Ti} y {z, , ..., Z/j;} 3t.C^j accepts t in Cone— way 

then we will write C [> C U {R{xi) <J= Qi(xi)}, which we take to constitute 
one step of our saturation procedure. This can be effectively decided because of 
the fact that one-way ACU X-automata are closed under intersection and hence 
their intersection emptiness is decidable. The saturation step is harmless: 

Lemma 7. Let C [> C U {R{xi) Qi{xi)} as above. Then any atom derivable 
in CU {R{xi) Qi(xi)} modulo ACUX is also derivable in C modulo ACUX. 



Proof. It is sufficient to show that for any ti, if Qifti) is derivable in C, then 
R{ti) is derivable in C. As in the definition above, let ti^ be the term ac- 
cepted at Qi^ and Rj for j G {!,..., fc}. Also let tj be the term accepted 
at Qj for j G {!,..., n} \ {z, Zi, ..., ifc}. Q{f{ti,...,tn)) is derivable in C us- 
ing the pop clause. As Lp^q^s.C 0, there must be an atom of the form 
P{aq + 2bq'^^qa + ... + 2bqi^^qn) derivable in C*^ modulo ACU, with bq>,^qa G S. 
Let Ui be the term accepted at Qi and Q” in Cone-way modulo ACUX. The 
derivation of P{aq+2bq>^^qa + ...+2bqi^^qa) must have a functional support of the 



form Q{aq),Q\{bq,^^qn),Q\{bq,^^qn),...,Ql{bq>^^qa),Ql{bq,^^qn) where Q|,g| G 
{Q'p Q'l}- From Lemma 4, we get a derivation of P(/(ti, ..., t„) -|-2ui -|- ... -|- 2up) 
in C modulo ACUX. Thus modulo ACUX, we have a derivation of P{f{t\, ..., 
tn)). Then we get a derivation of R{ti) using the push clause. □ 



The converse is trivially true. Thus C and C U {R{xi) <^= Qi{xi)} have the 
same set of derivable atoms modulo ACUX. 

Given a two-way ACUX automaton C our saturation procedure consists of 
(don’t care non-deterministically) generating a sequence Co(= C) \> C\ \> C 2 ... 
until no new clauses can be generated. This always terminates because there 
are only a finite number of epsilon clauses possible. Let the final (saturated) au- 
tomaton be T>. Then we remove clauses (11) from T> to get a one-way automaton 
Vone-way This Step is also harmless: 

Lemma 8. If any atom is derivable in T> modulo ACUX, then it is derivable 
in Pone — way modulo ACUX. 
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Proof. It is sufficient to show that a derivation in T), which has a push clause at 
the root and nowhere else, can be converted to a derivation in T> one-way Suppose 
we have a derivation of R{ti) from the derivations of P{f{ti, tn)), 

Rk{Uk) using the push clause R{xi) <i= P{f{xi, A Ri{xiJ A ...ARk{xi^). 

Also, the latter derivations use only clauses from V one-way Hence because of 
Lemma 1, we must have a derivation in T) one-way modulo ACU of an atom 
of the form P{f(f[, ■■■,t'n) + -I- ui + ... + Up + Vp) with functional support of 

the form ...,t'n)), Ik{up), Jk{vp) such that U =acux 

and Ut =ACUX Vi. By Lemma 4, P(oq -I- -I- ... -I- is derivable in 

modulo ACU. Let S = {(/i, Ji), ..., (Ip, Jp)}. Clearly Cp^Q^s,v ^ 0. Now 
the derivation of Q{f{t[,...,t'n)) must be using some clause Q{f{xi,...,Xn)) 
Qi{xi) A ... A Qn{xn) and the derivations of ...,Qn{t'n) in Rone-way As 

t'i =ACUX ti, we have that V \> V U {R{xi) <J= Qi{xi)}. But T> is already 
saturated, hence R{xi) Qi(xi) G T>. Also Qi{U) is derivable in Done-way 
Hence R{U) is derivable in Done-way □ 

The converse is trivially true. Combining Lemmas 7 and 8, we get: 

Theorem 2. A two-way ACUX automaton can be effectively converted to a 
one-way ACUX automaton accepting the same language. 

The results of the ACUX case are easily generalized to the ACUXn case for 
every n > 2 by computing intersections of n-tuples of states instead of pairs of 
states. Hence: 

Theorem 3. Two-way ACU A„ automata have same expressiveness as one-way 
ACUXn automata, and are closed under intersection. 

6 Constant-Only ACUD Automata 

We shall see that as the ACU case helped us in dealing with the ACUX case, 
the ACU D case helps us in dealing with the Abelian groups case. 

Let C be a constant-only ACU D automaton with predicates in P. Except for 
clauses (9) which introduce ’ symbols, C would have been just an ACU au- 
tomaton. In the ACUD case, the languages are in fact very similar to semilinear 
sets. We now make this more precise. Recall that Ay is the set of constants in 
our signature. Define a set of fresh constants X f = {a \ a G Xf}. Terms built 
from Xf U {-I-, — , 0} modulo ACUD are of the form a\ -\- ... -\- am — bi — ... — bn 
{m,n > 0 and Oj,6y G Xf) while those built from Xf U Ay U {+,0} modulo 
ACU are of the form ai -\- ... -\- Om + 6i + ... + b„ {m,n > 0 and ai,bj G Xf). 
Hence there is a natural 1-1 correspondence between terms (resp. languages) on 
Ay U {-I-, — , 0} modulo ACU D and terms (resp. languages) on A U Ay U {-k, 0} 
modulo ACU . 

Consider new predicate symbols P for every P G P. Define automaton to 
consist of the following clauses: 

— for clause (3) in C, the same clause, and P(x) <= Pi(x). 
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— for clause (6) in C, the same clause, and P{x + y) Pi{x) A ^2(2/) 

— for clause ( 7 ) in C, the same clause, and P( 0 ) 

— for clause (8) in C, the same clause, and P{a). 

— for clause ( 9 ) in C, the clauses P{x) <^= P\{x) and P{x) <^= P\{x) 

By simple induction on the derivations, we can show: 

Lemma 9 . ( 1 ) If P{ai + ... + Um — bi... — &„) is derivable in C modulo ACUD 
then P{a\ + ... + am + bi + ... + bn) and Pilli+ ... + ctdn + b\ + ... + bn) are derivable 
in modulo ACU . 

(2) If P{ai + ... + Um + bi + ... + bn) or P(ai+ ... + 61 + ... + 5 „) is derivable 

in modulo ACU then P{a\ + ... + Om — 61 — ... — bn) is derivable in C modulo 
ACUD. 

Hence modulo the correspondence of languages discussed above: 

Corollary 1 . The language accepted by a constant- only ACUD automata with 
constants from Ef is a semilinear set with constants from EfUEf. Conversely, 
a semilinear set with constants from Ef U Ef can be represented as accepted by 
a constant-only ACUD automaton with constants from Ef. 

7 Cancellative ‘ — ’ Symbol: Abelian Groups Automata 

The ACUM equations are remarkably similar to ACUX: instead of canceling 
equal terms, we now cancel terms with opposite signs. In fact the constructions 
and proofs in this case are exactly the same as in the ACU X case. As the ACU 
case helped in the ACUX case, similarly the ACUD case helps in the ACUM 
case. Easy generalizations of Lemma 4 and Definition 1 to the ACUD case are 
used. 

The key new idea is that instead of canceling pairs of Us as in the ACUX case, 
we cancel a b with a b, where the Us act as abstractions for the negated terms. 
So we omit the full proofs of Theorems 4 and 5 , but still make the constructions 
explicit. 

Theorem 4 . One-way ACUM automata are effectively closed under intersec- 
tion. 

Proof. Let C be a one-way ACUM automaton with predicates in P. As in ACUX 
case we use new predicate symbols {P, Q) and {P, Q) for each P,Q G P. We 
will construct automaton Cinter which has states (P, Q) to accept intersection 
of P and Q. The new sets of constants used are = {ap^g \ P,Q £ P}, 
S2 = {bp,Q \ P,Q £ P}, Si = {apff I P, Q G P} and S2 = {bp,q \ P,Q £ P}. 

Let C*g = Ceq U {P(ap^g), P(6p,g)} for P,Q £F. From Corollary 1 , for every 
P Cp{C*gfACU D) is a semilinear set on the symbols from S'! U U S'2 U S2. For 
each S C S2, define Pp,s to be the set of those t G Cp{Cl^/ACUD) such that 

— each bp_Q G S occurs in t at least once 
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— no bp^Q € S2\S occurs in t 

— for each bp,Q € S2, bp^Q occurs exactly as many times as 6p_g in t. 

Cps is a semilinear set. Let C'p g be the language obtained from£ by deleting 
all the symbols from S2 U 5'2- This is again a semilinear set. For P, Q G P and 
S', T C S2 C,'p_s Id ^Q,T is ^ semilinear set. By the second part of Corollary 1 , 
we can construct a constant-only ACUD automaton Cp^q^s,t on signature Si U 
{-h, — , 0 } with a final state Fp^Q^g^p such that C{Cp^Q^g^T/ ^CU D) = C'p gC\C'Q p. 
We assume that automata Cp^q^s,t’s are built from mutually disjoint sets of 
(fresh) states. 

The required automaton Cmter has the following clauses: 

— for each P, Q G P and each S,T C S2, the clause (P,Q){x) <i= Pp,Q,s,T(a^) A 

/\b^ S')(a;p_p/). 

— clauses ( 3 , ( 6 ), ( 7 ) and ( 9 ) (but not ( 8 )) from each Cp^q^s,t- 

— for each clause P(apqp//) in some Cp_q^s,t, the clause R{x) <i= {R' , R"){x). 

— for each pair of clauses P{f{xi , ..., x„)) <i= Pi(xi) A ... A Pn{xn) and Q{f{xi, 

. . . , Xti) ) ^^1(3:1) A ... A Qn (^n) ia £/ree the clause (P, i^)(/*(:ri, ..., x^^)) " 4 = 

(Pi,gi)(xi) A...A(P„,Q„)(a:„). □ 



Theorem 5. Two-way ACUM automata can he effectively converted to one- 
way ACUM automata. 

Proof. Consider a two-way ACUM automaton C with predicates in P. As with 
ACUX we describe the base step of the saturation procedure that adds epsilon 
clauses. (No new ideas are used.) The new sets of constants used are S'! = {ap \ 
P G P}, ^ = {op I P G P}, ^2 = {bp,Q I P, Q G P}, and Sf = \ P,Q & P}- 

We define C*^ = CeqA{P{ap) \ P G P}U{P(&p,q) | P, Q G P}. From Corollary 1 , 
for every P, Cp{C*g/ACU D) is a semilinear set on constants from 5'iUS'2US'iUS'2. 
For P, g G P and S C S2, define Cp^q^sfi to be the set of t G Cp{C*g/ACUD) 
such that 

— OQ occurs in t exactly once 

— Vg' Q.aqi does not occur in t 

— each constant in S occurs in t at least once 

— no constant from S'2 \ S' occurs in t 

— for each 6 pg G S2, &p,g occurs exactly as many times as 6 p_g in t. 

Fp,Q,S,C is also semilinear because the above conditions are definable us- 
ing Presburger formulas. In particular, we can effectively check emptiness of 
Fp.Q,S,C- 

If C contains a push clause R{xi) 4 = P(/(xi, ..., x„)) A Rffxi^) A ... ARffxiff), 
a pop clause Q{f{x \, ..., x„)) 4 = Qffxi ), ..., Qn{xn), and a set S C S2 such that 

— Fp,Q,s,c 0 

— 'ibgi^Qii G S. 3 t. both g' and Q" accept t in Cone-way modulo ACUM 

— Vj G { 1 , ..., k}. 3 t. both Qi. and Rj accept t in Cone-way modulo ACUM 
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Vj G {1, Ti} \ {z, accepts t in Cone— way 

then we write C [> C U {R{xi) 4= Qi(xi)}, which is one step of our saturation 
procedure. The rest works as in the ACUX case. □ 

8 Simpler Cases: General ACU and ACUD Automata 

We observe that all the complications in the ACUX and ACUM cases were 
because of the equations x + x = Q and x — x = 0 which cancel terms. Forgetting 
them (but keeping the distributivity of ’ symbol,) we get the ACU and ACUD 
cases, which formed the basis of our results in the ACUX and ACUM cases. By 
looking at the proofs, it is easy to see that all the results proved for ACUX and 
ACUM automata continue to hold for ACU and ACUD automata. In fact they 
become much simpler: all we need to do is to systematically ignore the parts 
about the &, 6’s which accounted for cancellations. For lack of space we content 
ourselves to summarize the results: 

Theorem 6. Two-way ACU (resp. ACUD) automata can he effectively con- 
verted to one-way ACU (resp. ACUD) automata and are effectively closed under 
intersection. 

9 Idempotence Axiom: ACU I Automata 

In the ACU I case also we use techniques similar to the previous cases. We have: 

Theorem 7. One-way ACU I automata are effectively closed under intersec- 
tion. 

Proof. Let C be a one-way ACU I automaton with predicates from P. Instead of 
computing intersections of pairs of states, we will need to compute intersections 
of all tuples of states. Hence we introduce new predicates S and S for every 0 ^ 
S' C P. A state S = {Pi,...,P„} represents the intersection of states Pi,...,P„. 
S accepts the functional terms among the terms accepted at S. 

For each 0 S C P we introduce a new constant as which will be used as an 
abstraction for the terms to be accepted at S. Let = Ceq U {P{as) \ P G S}. 
From Lemma 3 Cp{C)^/ACU) is a semilinear set for every P. Define Cp = 
{nias^+ ... + nkas^ \ soTae mias^ + ...Pmuas^ G £p(C*^/AC[/), 1 < < mj. 

This step accounts for the contractions using the equation I. Cp is a semilinear 
set. For every 0 yf S C P, £5 = ^ semilinear set. By Lemma 3, 

we can construct a constant-only ACU automaton Cs with final state Fs such 
that C{Cs/ACU) = Cs. We assume that automata Cg’s are built from mutually 
disjoint sets of (fresh) states. 

The required automaton Cmter has the following clauses: 

— for each 0 y^ S' C P, the clause S{x) 4= Fs{x). 

— clauses (3), (6) and (7) (but not (8)) from each C5. 
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— for each clause R{as) in some Cs, the clause R{x) ^ S{x). 

— for clauses P*(/(a:i, x„)) <i= Pi(a;i) A ... AP^(a;„) in C for 1 < z < /c, fc > 1, 

the clause S'(/(xi, ..., x„)) ^ S'i(a;i) A ... A S'„(x„) where S = {P^ , P^} 
and Sj = {Pj, Pj}. □ 

While the one-way automata are closed under intersection, unlike in the 
other theories, we do not know whether the two-way automata have the same 
expressiveness as the one-way automata. Still we do know that the two-way 
ACUI automata are powerful enough to encode alternation: the clause P{x) 
P\{x) A P 2 {x) can be encoded as Qi{f{x)) <i= Pi{x),Q 2 {f{x)) <^= P 2 {x),Q{x + 
y) ^ Qi{x) A Q 2 {y), P{x) <^= Q{f{x)) for fresh predicates Qi,Q 2 ,Q- We have 
already seen that alternation produces undecidability for ACU, ACUD and 
ACUM theories. This suggests that this problem is difficult and might require 
new techniques. 

10 Conclusion 

We have dealt with one-way and two-way tree automata modulo the equational 
theories ACU (associativity, commutativity, unit), ACUD {ACU with a dis- 
tributive ’ symbol), ACUM (Abelian groups), ACUX (exclusive-or), ACUXn 
(generalized exclusive-or, n > 2), and ACUI. 

For each of these theories, we have shown that the languages accepted by 
one-way automata are effectively closed under union and intersection, and that 
emptiness is decidable. Also for all these theories except ACUI, the two-way 
automata can be translated to equivalent one-way automata. Care has been 
taken to suitably restrict the format of push clauses (look back at the side- 
conditions of (11)): without them emptiness would be undecidable in the ACU, 
ACUD and ACUM cases. In particular the corresponding two-way automata 
would not be reducible to one-way automata. We also saw that alternation leads 
to undecidable cases modulo these theories. In this sense, these automata have 
different behavior than classical (i.e. non-equational) automata. 

Two questions remain to be answered. First, the equivalence between two- 
way and one-way ACUI automata is conjectured. Second, the effect of adding 
clauses (12), which is trivial for the theories ACUX and ACU M, is unknown for 
the others. Preliminary results show that this strictly increases expressiveness 
modulo ACU or ACUD. 
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Abstract. Dimensional safety policy checking is an old topic in software 
analysis concerned with ensuring that programs do not violate basic prin- 
ciples of units of measurement. Scientific and/or navigation software is 
routinely dimensional and violations of measurement unit safety policies 
can hide significant domain-specific errors which are hard or impossible 
to find otherwise. Dimensional analysis of programs written in conven- 
tional programming languages is addressed in this paper. We draw gen- 
eral design principles for dimensional analysis tools and then discuss our 
prototypes, implemented by rewriting, which include both dynamic and 
static checkers. Our approach is based on assume/assert annotations of 
code which are properly interpreted by our tools and ignored by standard 
compilers/interpreters. The output of our prototypes consists of warn- 
ings that list those expressions violating the unit safety policy. These 
prototypes are implemented in the rewriting system Maude. 



1 Introduction 

Checking software for measurement unit consistency, also known as dimensional 
analysis, is an old topic in software analysis. Software developed for scientific do- 
mains, such as physics, mechanics, mathematics or applications of those, often 
involves units of measurement despite the lack of support provided by underlying 
programming languages. Computations using entities having attached physical 
units can be quite complex; detecting dimensional inconsistencies in such com- 
putations, for example adding or comparing meters and seconds, can reveal deep 
domain-specific errors which can be hard, if not impossible, to find by just ana- 
lyzing programs within their language’s semantics, automatically or not. 

To emphasize the importance and nontrivial nature of dimensional analysis, 
we recall two notorious real-life failures. NASA’s Mars Climate Orbiter space- 
craft crashed into Mars’ atmosphere on 30 September 1999 due to a software 
navigation error; peer review findings indicate that one team used English units 
(e.g., inches, feet) while the other used metric units for a key spacecraft opera- 
tion [24]. On 19 June 1985, the space shuttle Discovery flew upside down over 
Maui during an experiment, in an attempt to point the mirror to a spot 10,023 
nautical miles above see level; that number was supplied in units of feet and then 
fed into the onboard guidance system, which unfortunately was expecting units 

* This work is supported by joint NSF/NASA grant CCR-0234524. 
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in nautical miles, not feet [22]. These two failures, as well as many other lower 
magnitude ones, could have been avoided by using dimensional analysis tools. 

There is much work on supporting measurement units in programming lan- 
guages. The earliest mention of the idea of incorporating units in programming 
languages, to our knowledge was in 1960 [5]. Karr and Loveman [17] suggested a 
mechanism that allowed units to occur in programs. There have been proposals 
for dimensional checking within existing languages like Pascal [9,10] and Ada 
[11], and even in formal specification of software [14]. An intuitive approach to 
strengthen type checking in programming languages was also suggested in [16]. 
The Mission Data System (MDS) team at NASA JPL developed a C++ library 
incorporating hundres of classes representing typical units, like MeterSecond, to- 
gether with appropriate methods to replace the arithmetic operators when mea- 
surement unit objects are involved. These techniques based on type checking, in 
addition to adding runtime overhead due to additional method calls (which can 
admittedly be minimized by optimized compilers), cause inconvenience to pro- 
grammers and make the development of reusable software difficult. Furthermore, 
they limit the class of allowable (or type checkable) programs to an unaccept- 
ably low level. For example, a program calculating the geometric mean of the 
elements in a vector of meters needs a temporary variable which is multiplied 
incrementally by each element in the array; the unit of this temporary variable 
changes at each iteration, so it cannot be declared using any fixed type. The 
solution adopted by MDS is to remove and attach types to numerical values via 
appropriate extractors and constructors, which, of course, is a safety leak. 

Packages for dimensional analysis and integrity in Ada have been proposed 
in [15,20], employing the use of Ada’s abstraction facilities, such as operator 
overloading and type parameterization. Using a discipline of polymorphic pro- 
gramming, it was suggested in [21] that type checking can and should be sup- 
ported by semantic proof and theory. This was extended in [23] using explicit 
type scheme annotations and type declarations and in [27] for type-indexed val- 
ues in ML-like languages. The approach in [25] associated numeric types with 
polymorphic dimension parameters, avoiding dimension errors and unit errors. 
Kennedy proposed a formally verified method to incorporate, infer and check di- 
mension types in ML-style languages [19], and provided a parametricity theorem 
saying that the behavior of programs is independent of the units used [18]. 

All the above study based on extensions, sometimes quite heavy, of program- 
ming languages, builds a foundation for languages equipped with dimensional 
information. However, due to practical, economical and/or taste reasons, these 
approaches have not been accepted by mainstream programmers and have not 
been widely used in applications. For instance, it is exceedingly inconvenient 
for programmers to rewrite a whole large application in another language - the 
one extended with unit types - just to avoid measurement unit conflicts. In this 
paper we propose a lighter- weight, rewriting-based approach to check measure- 
ment unit consistency, which has the main advantage that it does not modify 
the underlying programming language at all. The user interacts with our tools 
via code annotations, which are just comments, and via safety policy violation 
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warning reports. We provide an integrated tool containing both dynamic and 
static checkers implemented by rewriting in Maude, and explain their trade-offs. 

We mainly focus on examples and general concepts here, mentioning that our 
Maude rewriting implementation has more than 2,000 rewriting rules. One can 
find more information (including complete source code) and download our tools, 
at http://fsl.cs.uiuc.edu. The work presented in this paper has been started 
by the second author as a former researcher at NASA. 

2 Preliminaries 

In this section we recall the basics of the BC and Maude languages. BC is the 
language on which we applied our measurement unit safety checking approach 
presented in this paper, but an implementation targeting C is under current 
development and one targeting Java is under design. Maude is a rewriting based 
executable specification language that we used to implement our prototypes. 

BC. Our domain-specific safety checking approach is general, both with re- 
spect to the domain of interest and with respect to the underlying programming 
language, but we firstly applied it to the GNU BC language, which comes with 
any Unix platform [1], because it is a simple but still practical language hav- 
ing most of the characteristics of current imperative languages. BC [1] is an 
arbitrary precision calculator language, typically used for mathematical and sci- 
entific computation. The most basic element in BC is the number. BC has only 
two types of variables, simple variables and arrays, which are used to store num- 
bers. The syntax of expressions and statements in BC is very similar to that of 
C. It includes all the arithmetic, logical and relational operators found in C, in 
addition to the increment “++” and decrement “ — ” operators, and it also allows 
control structures for branching and looping through constructs like if, for and 
while. Comments start with the characters /* and end with */. BC programs 
are executed as the code is read, on a line by line basis; multiple instructions 
on a single line are allowed if separated by semicolon. It allows auto variables 
in functions, which are intended as variables for local usage; however, they are 
distinguished from the traditional local variables, their active range being ex- 
tended over those functions called by the function in which they are defined, 
thus giving BC a dynamic scoping language flavor. By pushing auto variables 
and parameters of functions into stack dynamically, BC supports recursive func- 
tions. One can type man be on any UNIX platform for more information on GNU 
BC. For some unexplained reason, only one-character identifiers are allowed by 
the BC implementation on Sun platforms; therefore we recommend the readers 
interested in experimenting with large examples to use the Linux version of BC. 



Maude. Maude [6] is a high performance rewriting-based specification and 
verification system in the OBJ family [13]. We use Maude to specify BC along 
with its executable semantics and its domain-specific operational semantics w.r.t 
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units of measurements. The following is a Maude module implemented in our unit 
safety analysis tool, defining a segment of the theory of units of measurement: 



fmod UNITS is protecting INT . 

sorts BUnit SpecialUnit Unit UnitList . subsorts BUnit SpecialUnit < Unit < UnitList . 

ops mile kg meter second Newton Celsius Fahrenheit : -> BUnit . 

ops noUnit einy fail : -> SpecialUnit . op : Unit Int -> Unit [prec 10] . 

op : Unit Unit -> Unit [assoc comm prec 15] . op nil : -> UnitList . 

op : UnitList UnitList -> UnitList [assoc id: nil] . 

vars U U’ ; Unit . vars N M : Int . eq Newton = kg meter second ~ -2 . 

eq U noUnit = U . eq U any = U . eq U fail = fail . eq fail ~ N = fail . 

eq any ^ N = einy . eq noUnit ^ N = noUnit . eqU~l=U. eqUU = U''2. 

ceq U ^ 0 = noUnit if ((U =/= fail) and (U =/= any)) . 

eq U CU ‘ N) = U ~ CN + 1) . eq (U ‘ N) (U ‘ M) = U ‘ (N + M) . 

eq CU U») ‘ N = (U ~ N) CU’ ‘ N) . eq (U ‘ N) ‘ M = U ~ (N * M) . 

endfm 



We assume the reader familiar with Maude. In the above module, we have differ- 
ent types (sorts) of data: BUnit for basic units, SpecialUnit, Unit and UnitList. 
Units like mile and noUnit have been declared as constants of sorts BUnit and 
SpecialUnit, respectively. The intuition for the special units is that they can be 
used in any unit context but can be distinguished from the basic units. The unit 
any is a unit which can be dynamically converted to any other unit, depending on 
the context; for example, in a BC statement like x++, the increment 1 is of unit 
any and is dynamically converted to the current unit associated to the variable 
X. The special unit noUnit is used to distinguish a cancelled unit (for example 
after calculating meter“(l-l)) from the unit any, in order to report appropriate 
warnings, and the special unit fail is attached to a variable in case its unit can- 
not be computed due to safety violations, such as, the unit of z after executing 
z = X + y in an environment in which x has the unit meter while y has the unit 
second. We claim, without proof, that the specification above is confluent and 
terminating, so it can be used as a computational model for unit equivalences. 



3 Executable Semantics of Programming Languages 

Equational logic is an important paradigm in computer science. It admits com- 
plete deduction and is efficiently mechanizable by rewriting: CafeOBJ [8], Maude 
[6] and Elan [3] are equational specification and verification systems in the OBJ 
[13] family that can perform millions and tens of millions of rewrites per second 
on standard PC platforms. It is expressive: Bergstra and Tucker [2] showed that 
any computable data type can be characterized by means of a finite equational 
specification, and Goguen and Malcolm [12], Wand [26], Broy, Wirsing and Pep- 
per [4], and many others showed that equational logic is essentially strong enough 
to easily describe virtually all traditional programming language features. 

Following the example in [12], we have defined the semantics of BC as an 
equational algebraic specification. Our BC specification has about 500 equations 
in Maude, all unconditional. Thanks to Maude’s speed in executing uncondi- 
tional equational specifications, we were able to run dozens of non-trivial, often 
recursive BC programs, directly within their semantics in Maude. The overall 
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reduction in speed was a factor of about 25-30, which we found satisfactory for 
our prototypes, which essentially extend the executable semantics of BC with 
new, domain-specific definitions for safety policies. 

Briefly, the executable semantics of BC declares an operation run which takes 
a program and a list of integers (its input) and returns another list of integers (its 
output). To execute programs properly, one needs to also define environments, 
which are sets of pairs (variable, integer). Because of recursive function calls, one 
needs to also stack these environments dynamically, as the program executes. 
Appropriate operations to update the environment are also defined, as well as 
operations to properly deal with return, break and continue statements. 



4 Design Conventions and Annotation Schemas 

The design of our prototypes has been influenced by three major factors: correct- 
ness, unchanged native programming language, and low amount of annotations. 



Correctness. “Correctness” means that all violations of safety policy will be 
reported. We consider correctness a crucial aspect because, unlike other tools 
like ESC [7] intended to help users And many bugs with relatively little effort, 
our tools are intended to be used on safety critical software, such as air craft and 
navigation, where software developers want to be aware of any inconsistency. 



Unmodified Programming Language. Another major influencing factor in 
our design was the decision to not modify the underlying programming language 
at all, for example by adding new types. Our reason for this decision is multiple. 
First, we do not want to worry about providing domain specific compilers; one 
can just use the state of the art optimized compilers for the specific programming 
language under consideration. Second, by enforcing an auxiliary typing policy on 
top of a programming language in order to detect unit inconsistencies via type 
checking, one should pay the price of some runtime overhead due to method calls 
that will replace all the normal arithmetic operators; our static prototype does 
not add any runtime overhead. Third and perhaps most importantly, since we 
do not add new types to the language, we do not put the user in the unfortunate 
situation to have a correct program rejected because it cannot be type checked, 
which is in our view the major drawback of typed approaches to unit safety; 
instead, our user has the option to either add auxiliary unit specific information 
to help the checker or to ignore some of the warning messages. 



Annotation Schemas. The mechanism by which users can add auxiliary, in 
this case measurement unit specific, information to program is via annotations, 
which are special comments at appropriate places in the program. Annotations 
are introduced with the syntax /*U _ U*/, which is understood by our tools 
and ignored by compilers, and are of two kinds: assumptions and assertions. 
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Our annotation schemas are general and can be applied to any domain-specific 
safety policy checker, but in this paper we will focus on unit safety policy. 

We now present an example showing some of the complex unit expressions 
that can be manipulated by our tool, and also emphasizing the importance 
of annotations. The program below provides functions to calculate distances, 
convert energy and calculate the angle under which a projectile of a given weight 
should be launched in order to travel a given distance: 

define sqrtnaive(x) { 

auto temp; temp =0; /*U assume unit (temp) = sqrt (unit (x) ) U*/ 

while (1) {if (temp*temp>=x) return temp; if (temp*temp>x) return temp-1; temp += 1;} 

} 

define lb2kg(w) /*U assert unit(w)=lb U*/ /*U assume returns kg U*/ {return 10 * w / 22;} 
define distcince(xl , yl, x2, y2) {return sqrtnaive ( (x2-xl) '‘2 + (y2-yl) '‘2) ; )■ 
define energy2speed (energy , weight) {return sqrtnaive(2 * energy / weight);} 
define pr jXcingent (dist , speed, g) /*U assert unit (speed) “2 = unit(dist) unit(g) U*/ 

{ auto dx, dy; dx = speed*speed + sqrtnaive (speed~4 - (dist*g) '‘2) ; dy=dist*g; 
return dx/dy} 

projectilex = 0; /*U assume unit(projectilex) = meter U*/ 

projectiley = 0; /*U assume unit(projectiley) = unit (projectilex) U*/ 

targetx = 17; /*U assume unit (targetx) = unit (projectilex) U*/ 

targety = 21; /*U assume unit (targety) = unit (projectiley) U*/ 

dist = distcince(projectilex, projectiley, tairgetx, targety); 
projectileweight = 5; /*U assume unit(projectileweight) = lb U*/ 

energy = 2560; /*U assume unit (energy) = kg meter'‘2 

second'‘-2 U*/ speed = energy2speed(energy , projectileweight); 
g = 10; /*U assume unit(g) = meter second~-2 U*/ 

print (prjTcingent (dist , speed, g)); 

The first function is the naive implementation of square root and the second one 
is a converting routine, from lb to Kg. The next function computes the distance 
between two points. No annotations are given, but a warning will be generated 
anyway if the arguments do not have the same unit. The fourth function com- 
putes the speed of an object, given the energy acting on it. The last function 
computes the tangent of the angle of a projectile, given a certain distance it wants 
to reach, an initial speed and a gravitational acceleration. This function is an- 
notated with an assertion describing a unit invariant among its arguments. This 
allows one to use such functions in various contexts, such as under metric or En- 
glish system conventions, as well as for other possible combinations of units. One 
can now assume a context in which these functions are called. The above code 
contains a unit safety violation, which is immediately reported by both checkers. 
The error will be reported when the function projectileTangent Angle is called, 
because the unit of speed is Kg~ (1/2) meter second*-l lb“ (-1/2) so the assertion 
of function projectileTangentAngle will be violated. To correct this problem, the 
user should first properly convert the projectile weight to Kg, so the speed should 
be assigned the expression energy2speed (energy , lb2kg(projectileWeight) ) . 

Reducing the Amount of Annotations. Influenced by the observed and 
sometimes openly declared reluctance of ordinary programmers and software 
engineers to modify or insert annotations in their programs, we paid special 
attention to reducing the amount of annotations to a minimum possible. As a 
consequence, every variable by default is considered to have its own unit, which 
is different from any other existing unit. This principle of course extends to auto 
variables, their units being considered different from the units of global variables 




Rule-Based Analysis of Dimensional Safety 203 



having the same name. Our tool will therefore output a warning on the simple 
program print (x+y), because x and y cannot be shown to have the same unit. 

This brings us to a major design convention of our tool, called the locality 
principle, which assumes that the user understands what (s)he is doing locally, 
within a single instruction, with respect to constants. For example, if one writes 
X++, then one means to increase the value of x by 1, and this 1 has exactly the 
same unit as x. The same increment instruction can be reached several times 
during the execution of the program; each time the unit of the increment will 
be dynamically converted to the unit of x, which can be different each time. 
There is no difference between the statements x++ and x = x + 1, so we apply 
the same locality principle to numerical constants. That implies that in x = x 
+ 5, the unit of 5 will be converted to the unit of x and no warning will be 
reported. Additionally, a constant assignment to a variable, such as x = 5, will 
not change the unit of x. Our motivation for these conventions is again to keep the 
amount of code annotation low, but the users thinking that our locality principle 
yields a safety leak have the option to always attach a unit to numerical values 
via appropriate assumptions, e.g., temp = 5 ; /*\J assume unit (temp) = second 
U*/, and then execute x = x + temp; a warning will be reported in this case if 
the unit of x cannot be shown to be second. Based on these efforts, the following 
example of sorting needs only one assumption to satisfy the safety policy: 



n = 25 ; /*U assume unit(i) = any U*/ 

for (i = 1 ; i <= n ; i = i + 1) a[i] = n - i + 1 ; 

for (i=l ; i<n; i=i+l) 

for (j=i+l;j<=n;j=j+l) 

if (a[j] < a[i]) { temp = a[i] ; a[i] = a[j] ; a[j] = temp ; } 
for (i = 1 ; i <= n ; i = i + 1) print(a[i]) ; 



The only assumption needed, assigning the universal unit any to the counter i, 
guarantees the compatibility of i and n when they are compared later, within the 
loop conditions. The first loop, which assigns decreasing numbers to the elements 
of the array a, also assigns the unit of n, which is considered to be a fresh unit 
different from any other unit because no unit has been explicitly assigned to it, 
to each of the 25 elements of a. In the case of the static analyzer, the array a will 
be assigned the unit of n by executing the loop body symbolically only twice, 
regardless of the value of n (because the environment set stabilizes; see Subsec- 
tion 5). Then the second loop is analyzed and no warning is reported because 
the nested loop assigns the unit of i, which is any, to j, so any subsequent com- 
parisons of j are safe; the environment set also stabilizes in two iterations of the 
loop. Similarly the third loop can be certified without any auxiliary information. 
Without the assumption, 5 warnings would be reported. 



5 Rule-Based Dynamic and Static Analysis Tool 



The current version of our tool supports only the BC language, but it is being 
extended to support C and Java (see http://fsl.cs.uiuc.edu). 
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Tool Development. The tool is invoked with the command “bc-unit [-so] 
filename” where s and o are optional. By default, the tool starts its dynamic 
checker, which is described below, and its output consists of a list of warnings 
reported in the order of execution. A warning consists of the line number and 
the expression violating safety; the same warning can appear many times if the 
unsafe expression has been executed more than once. The option “-o” tells the 
tool to output the warning list ordered by line numbers without redundancy. 
The option “-s” triggers the static checking mode . 

We used Maude as a rule-based programming language to implement both 
the dynamic and the static checkers. Since programs to be analyzed are expected 
to be provided as terms to Maude, we have implemented a simple wrapper (about 
300 lines of PERL code), whose work- flow is the following: 

1. Adjust the input program to be parsable by Maude, e.g., add spaces around 
BC symbols, add line numbers, delete unnecessary comments, detect the 
variable and function names and define them as appropriate constants, etc.; 

2. Invoke either the dynamic or the static Maude checker (which are described 
below) to verify the generated program term; 

3. Collect Maude’s output, parse it and produce user friendly error messages. 

This way users can use our tool in a push-button fashion, without seeing Maude. 



Dynamic Checker. Our Maude dynamic unit safety checker interprets the 
BC program within its executable semantics enriched with the unit safety pol- 
icy. This is realized by extending the executable semantics specification of BC 
discussed in Section 3. A major extension is with respect to execution environ- 
ments. An execution environment is now a set of triples, each triple containing 
a variable, an integer value and a unit of measurement. The integer value is 
used to determine the execution flow of the analyzed program, while the unit 
is used to check the safety policy. For example, if the expression x + y is en- 
countered at line number 15 and the execution environment contains the triples 
[x, 7, meter“2 second] and [y, 3, meter second] then the value 10 is correctly 
assigned to the sum of x and y but a warning message will be issued of the form 
15 : X + y. If the expression x + y was assigned to a variable, say x, then the 
new environment will assign the value 10 and the unit fail to the variable x. 
Since BC supports recursive function calls and auto variables, all the environ- 
ment stacking technique needs to be extended to the enriched environments. 

Another major extension of the BC semantics is with respect to the newly 
introduced code annotations, which act like new, domain-specific instructions. 
An assumption /*U assume unit(Var) = UnitExp U*/ is interpreted by our dy- 
namic checker as follows: 1) first evaluate the unit expression UnitExp in the 
current environment, hereby obtaining a result which is an expression using just 
basic units, then 2) modify the current environment by associating the newly 
calculated unit to the variable Var, without changing its current integer value; 
if UnitExp fails to evaluate to a correct unit, due to violations of the safety pol- 
icy, then the unit fail will be assigned to Var. Due to its precision in analysis 
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because of the exact execution path and environment, the dynamic checker can 
allow the user to assign different units to different elements in an array. In fact, 
any abstract memory location can have any unit associated with it. Assumptions 
/*U assume returns UnitExp U*/ are interpreted as follows: when a function call 
is invoked in an expression context, UnitExp is evaluated and returned as unit 
associated to the function call; the function call will also take place, and all 
additional warnings while executing the function are collected and reported. As- 
sertions of boolean unit expressions are simply evaluated to boolean values and 
warnings are returned if they evaluate to false. 



Static Checker. The main idea behind our static unit analyzer is that the 
concrete execution path of the program to be checked is entirely ignored; in- 
stead, all executions are considered in parallel. An immediate assumption is to 
also ignore all the numerical values and only consider the domain-specific, ab- 
stract values (units of measurement) of variables. Therefore, environments will 
now consist of pairs (variable, unit). Since the concrete indexes in arrays are not 
available anymore, it assumes that, unlike its dynamic version, all the elements 
in an array have the same unit. Due to the loss of precision, at each point in the 
program one has to consider a set of environments, namely all those in which 
a potential execution of the program can be. Each statement will be abstractly 
evaluated in all the environments. If the unit safety policy is violated in any 
of the environments then a warning will be output. A new set of environments 
will be computed after each statement. The treatment of loops is non-trivial. 
A general solution would involve loop invariants, which we would like to avoid 
as much as possible due to its lack of understanding by ordinary programmers 
and software engineers. Our alternative solution is based on code patterns. More 
precisely, we define loop patterns that we can efficiently analyze statically. One 
such pattern is a loop whose body, when symbolically executed under a set of 
possible environments, does not change that set of environments; if this is the 
case then the loop can be safely ignored. Another pattern is one which symbol- 
ically executes the loop until the set of environments stabilizes; this pattern for 
example is triggered in order to analyze the sorting algorithm in Subsection 4. 
If a certain loop does not fall under any of the provided patterns, then all the 
defined variables in the loop are invalidated (their unit is set to fail) and the 
static analysis process continues. The user can intervene and attach proper units 
to failed variables. The advanced user can add new patterns. 



Some Experiments. In most of our experiments the Maude executable defi- 
nition of BC was about 25-30 times slower than BC vl.06 on Linux platforms, 
which is a good factor considering that we build our tools directly on top of a 
mathematically clean setting. Adding measurement unit knowledge to the BC 
specification basically doubles its size and further increases the execution time 
of programs by a factor of 5. Since many physics programs essentially calcu- 
late a function and have just one execution path, one can argue that having a 
precise dynamic measurement unit safety checker is extremely useful, even if it 
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slows down the execution of the program by 2-3 orders of magnitude. The static 
checker needs more axioms because it implements several patterns for loops. If a 
loop falls under a known pattern then it is discarded quickly; otherwise, the user 
intervention may be needed to add new assumptions as annotations. The killing 
complexity factor for the static checker is conditional branches when these mod- 
ify the unit-specific environment differently, which in our experience happens 
very rarely. We tried examples where 10 worst-case 10 line conditionals were 
serialized, for a total of 1024 situations to analyze, and it took our static checker 
about 3 seconds to check it. On the other hand, if the two branches generate the 
same abstract environment, that is, if they both modify the units of variables 
in the same way, then we were able to analyze 1,000 repetitions of best-case 10 
line conditionals, so a total of 10,000 lines of BC code, in about 1 second. 



Discussion. The main advantage of the dynamic checker is the precision of its 
reported warnings: any reported warning represents a violation of the unit safety 
policy. The user should therefore consider these reports very seriously and should 
have strong reasons to ignore them. The main drawback of the dynamic checker 
is its coverage: it only covers the path that was traversed by the particular 
execution of the program. Therefore, other errors might exist in the analyzed 
program which were not revealed and which can appear when the program is 
executed with different input. Another drawback of the dynamic unit safety 
checker is that its execution time consists of the analyzed program execution time 
plus the runtime overhead. Therefore, if a program calculates a computationally 
complex function or does not terminate in a reasonable time, then so does the 
unit safety prototype, which can be a serious drawback in some applications. 

An advantage of the static checker is that it covers all the potentially reach- 
able code. So it will not miss any unsafe expression. A careful and patient analysis 
of the reported warnings can lead one to find all the unit safety leaks. Another 
advantage is its relative efficiency, because it does not execute the programs, 
so non-termination of the program does not imply non-termination of the tool. 
However, depending on the amount of theorem proving that one wants to put in 
such a static certifier, it can actually become rather inefficient. A major drawback 
of the static certifier is the potentially long list of false alarms that it reports. 

6 Conclusion and Future Work 

A promising annotation based approach to dimensional safety has been pre- 
sented, together with a tool including both dynamic and static safety checkers 
implemented by rewriting in Maude. Future work includes extending the pattern 
database for the static checker and designing a general purpose invariant based 
loop analysis technique to be launched as a last pattern. 
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1 Introduction 

I take the opportunity given by this invited talk to promote two ideas: (1) a 
topological point of view can fertilize the notion of rewriting and (2) this topo- 
logical approach of rewriting is at the core of the modeling and the simulation 
of an emerging class of dynamical systems (DS): the DS that exhibit a dynamical 
structure (or (DS)^ in the rest of this paper). 

This presentation is based upon the results of two research projects, 81/2 
and MGS, that I have pursued hand in hand with Olivier Michel. The results 
and software tools presented here belong also to him and have been elaborated 
thanks to our long and fruitful collaboration. 

I have voluntarily adopted in this presentation an informal style, including 
some non-technical considerations. Thus, the reader must take the opinions, 
subjective statements and positions expressed here with a grain of salt. For the 
technical details, he may refer to the papers published elsewhere. The MGS home 
page: http://mgs.lami.univ-evry.fr is a good starting point. 

This presentation is organized as follows. Section 2 tries to develop an alter- 
native understanding of the concept of a data structure: a data structure can be 
seen as a space where the computation moves following some path. This point 
of view is exemplified in section 3 on the design of a uniform data structure. 
The result, called a GBF, is funded on the group generated by the elementary 
moves (or displacements) in the data structure. The section 4 introduces the 
MGS experimental language used to investigate the idea of associating compu- 
tations to paths through rules. The application of such rules can be seen as a 
kind of rewriting process on a collection of objects organized by a topological 
relationship (the neighborhood). Simple examples of MGS programs are given in 
section 4.4. However, a privileged application domain for MGS is the modeling 
and simulation of dynamical systems that exhibit a dynamic structure. Section 5 
sketches this point and gives a short presentation of several models. We review 
to conclude some related and future work. 



R. Nieuwenhuis (Ed.): RTA 2003, LNCS 2706, pp. 208-233, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 
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2 Data Structures as Spaces 

The fundamental concept of data structure is ubiquitous in computer science as 
well as in all branches of mathematics. Its characterization is then not easy. Some 
approaches emphasize on the construction of more sophisticated data structures 
from basic ones (e.g. domain theory); other approaches focus on the operations 
allowed on data structures (e.g. algebraic specification). 

Species of structures. In [BLL97], a data structure s is presented as an organiza- 
tion or an arrangement o performed on a data set D. Quoting the introduction 
we can say that it is customary to consider the pair s = (o, D) and to say that 
s is a structure o of D (for instance a list of inf an array of float, etc.). It is 
outlined that a customary approach consists in working with these pairs in the 
framework of axiomatic set theory. For example, the set Q of simple directed 
graphs (directed graphs without multiple edges) can be defined by: 

s = {o, D) G 0 o C D X D 

This traditional approach consider equally the structure o and the set D and 
does not stress the structure o as a set of places or positions, independently of 
their occupation by elements of D. This last point of view is taken into account 
by the less traditional approach of species of structures [BLL97] motivated by 
the development of enumeration techniques and counting problems. 

Space of a data structure. This point of view is also fruitful, even if one is not 
interested in counting the instances of a data structure. As a matter of fact, a 
lot of algorithms are structured following the structure of their data input or 
their data output and are largely insensitive to the precise values in their data 
set. This is obviously true for all polymorphic and polytypic functions, like map, 
fold, etc. [MFP91]. The notion of shape [Jay95] and shape type [FM97] also 
separates the set of places of a data structure from the values it contains. 

Once we do not focus on the values manipulated in a program, we can analyze 
the previous notions as attempts to specify classes of moves or paths related 
to a given data structure. For example, there are two kinds of fold on lists: 
fold_left traverses the list from the head to the tail, and fold_right goes 
in the reverse direction. Another example: a shape type in [FM97] is defined 
as a grammar specifying the admissible paths resulting from following pointers 
in C data structures. So, in our context, the point of view is topological rather 
than combinatorial: a data structure can be seen as a space, the set of places 
or positions between which the programmers, the computation and the values, 
move. 

At last, the notion of move or path relies on some notion of neighborhood: 
moving from one point to a neighbor point. Although speaking of neighborhood 
in a data structure is not usual, the relative accessibility from one element to 
another is a key point usually considered in a data structure. For example: 

— In a simply linked list, the elements are accessed linearly (the second after 

the first, the third after the second, etc.). 
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— In a circular buffer, or in a double-linked list, computation goes from one 
element to the following or to the previous one. 

— From a node in a tree, we can access the sons. 

— The neighbors of a vertex in a graph are visited after V when traveling 
through the graph. 

— In a record, the various fields are locally related and this localization can be 
named by an identifier. 

— Neighborhood relationships between array elements are left implicit in the 
array data structure. Implementing neighborhood on arrays relies on an in- 
dex algebra: index computations are used to code the access to a neighbor. 
For example (i — 1 , j ) is the index used to access the “north neighbor” of point 
(i,j) (we assume that the “north” direction is mapped to the first element 
of the index tuple). The standard example of index algebra is integer tuples 
with linear mappings Ax.x± 1 along each dimension (called “Von Neumann” 
or “Moore” neighborhoods). More than 99% of array references are affine 
functions of array indexes in scientific programs [GG95]. 

This list of examples can be continued to convince ourselves that a notion of 
logical neighborhood is fundamental in the definition of a data structure. The 
concept of logical neighborhood in a data structure is not only an abstraction 
perceived by the programmer and vanishing at the execution, but it does have 
an actual meaning for the computation. The computation indeed complies with 
the logical neighborhood structure of the elements. For instance, recursive com- 
putations on a data structure respect so often the logical neighborhood, that 
standard high-order functions can be automatically defined from the data struc- 
ture organization (think about catamorphisms and others polytypic functions 
on inductive types [FS96, N094]). 

Paths and Computations. In a sequential computation, elements of the data 
structure are visited one after the other. We assume that if element e' is visited 
just after element e in a data structure s, then e' must be a neighbor of e in 
some (concrete or abstract) way. We call the move from e to e' a shift and the 
succession of visited elements makes a path in s. The idea of sequential path can 
be extended to include parallel modes of computations: multi-dimensional paths 
must be used instead of one-dimensional paths [G J 92] . 

To summarize our presentation, we assume that a computation induces a 
path in a space defined by the neighborhood relationships between the elements 
of a data structure. At each shift, some elementary computation is done. Each 
topological operation used to build a path can then be turned into a new control 
structure that composes program fragments. 

This schema is presented in an imperative setting but can be easily rephrased 
into the declarative programming paradigm by just specifying the linking of com- 
putational actions with path specifications. When a path specification matches 
an actual path in a data structure, then the corresponding action is triggered. 
It is very natural, especially in this topological framework, to require that the 
results of the computational action be local: the corresponding data structure 
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transformation is restricted to the value of the the elements involved in the path 
and eventually to the organization of the path elements and their neighborhood 
relationships. Such transformation is qualified as local. 

This declarative schema induces a rule-oriented style of programming: a rule 
defines a local transformation by specifying the path to be matched and the 
corresponding action. A program run consists in the transformation of a whole 
data structure by the simultaneous application of local transformations to non- 
intersecting paths. Obviously, such global transformation can then be iterated. 
Figures 1, 2 and 3 present three examples of algorithms where this topological 
emphasis is particularly relevant. 



= OOC^ 






Fig. 1. Bead sort is a new sorting algorithm [ACD02]. The idea is to represent positive 
integers by a set of beads, like those used in an abacns. Beads are attached to vertical 
rods and appear to be suspended in the air just before sliding down (a number is read 
horizontally, as a row). After their falls, the rows of numbers have been rearranged 
such as the smaller numbers appears on top of greater numbers. The corresponding 
one-line MGS program is given in section 4.4. 




x,y /x>y 



y,x 



Fig. 2. A kind of bubble-sort is immediate in MGS; it is sufficient to specify the ex- 
change of two non-ordered adjacent elements in a sequence. The corresponding one-line 
MGS program is given in section 4.4. This is not really bubble-sort because swapping 
of elements can take at arbitrary places; hence an out-of-order element does not nec- 
essarily bubble to the top in the characteristic way.) 
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Fig. 3. Erastothene’s sieve. The successive natural numbers are generated by the first 
cells (round box) and travel along a sequence of cells containing the previous prime 
number (square box). If a traveling number is divisible by the number in a cell, it is 
erased, else, it is passed to the right neighbor. When a number reach the end of the 
sequence, it becomes a new cell extending the sequence. 




Fig. 4. A local transformation of a topological collection. Collection A is of some kind 
(set, sequence, array, cyclic grid, tree, term, etc). A rule T specifies that a subcollection 
B of A has to be substituted by a collection C computed from B. The right hand side 
of the rule is computed from the subcollection matched by the left hand side x and its 
possible neighbors x' in the collection A. 



Rewriting and the Topological Approach. This topological approach shares many 
features with the idea of rewriting. Indeed, we can suppose that the computa- 
tional action linked to a path is to replace this path by another one: this is the 
case for the four previous examples. Then, we retrieve the idea of rewriting, see 
figure 4 and 5, except that usually rewriting is described as the substitution of 
some sub-structure by another one (e.g. a sub-term by another term). What we 
gain with the topological emphasis is to focus on paths in the data structure 
instead of sub-structures ^ . Is this a real gain ? 

The purpose of the MGS research project is to answer this question. To have 
a positive answer we have to show that: 

1. it is possible to define a data structure through the specification of the 
neighborhood of its elements, 

2. it is possible to define the substitution of a path by another one and to 
control the substitution strategy, 

3. and this is useful in some application area. 

The next section sketches the notion of Group Based Datafield (GBF) and is 
an example of a positive answer to question 1. This example is important also 



^ see however [GiaOO]. 
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Fig. 5. Transformation and iteration of a transformation. A global transformation T 
is a set of local transformations applied in parallel and synchronously to make one 
evolution step. The local transformations do not interact together. A transformation 
can then be iterated. 



because it integrates the array data structure, which opens the way to array 
rewriting and gives at least one answer to question 3. The section 4 introduces 
an experimental language, called also MGS, used to investigate the design space 
of question 2. The section 5 shows the use of the previous tools in the domain of 
dynamical systems modeling (especially in biology) and provide another answer 
to question 3. 

3 The Example of Uniform Neighborhood 
Data Structures: GBF 

From now on, we use the term topological collection to stress the topological 
organization of the data structure’s elements. In this section, we will sketch 
a possible design for uniform topological collections. A topological collection 
is uniform if every element of the data structure has the same neighborhood 
structure. More precisely, we assume in this study that: (1) the set of places 
filled by the elements of the data structure is predefined (i.e. preexists to any 
occurrence of the data structure), and (2) the shifts followed to go from some 
place to a neighbor place can be named and (3) that the set G of shift’s names, 
called directions, is the same for all places (like for example a “next neighbor” 
and a “previous neighbor” that exist for each element in a circular list). 

The Group Structure of Uniform Neighborhood. Let “a”, “6”, “c”. . .be the direc- 
tion’s names and let P{a) be the “a” neighbor of the element P. Displacement 
operations can be composed: using a multiplicative notation, we write P{a.b) for 
(P(a))(6). Displacement composition is associative. We note 1 the null displace- 
ment, i.e. P(l) = P. Furthermore we will define a unique inverse displacement 
a~^ for each displacement a such that P{a.a~^) = P{a~^.a) = P. In other words, 
the displacements constitute a group Q for the displacement composition, and 
the application •(•) of the displacements to the places is the action of the group 
over the places of the data structure. The simplest choice for the set of places V 
and the corresponding action is to let P — Q and P{a) = P.a (the group acts 
transitively on itself). 

We assume that the group G is specified through a finite presentation with 
generators G (and G denotes indifferently the group and its presentation). Then, 
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Fig. 6. Graphical representation of the relationships between Cayley graphs and group 
theory. A vertex is a group element. The label a of an edge corresponds to the generator 
a of the group. There is an edge between vertices P and Q labelled by a iff P.a = Q. 
A word (a product of generators) can be seen a path. Starting from vertex P, a path 
w ends in P.w. Path composition corresponds to word multiplication. A closed path 
(a cycle) is a word equal to e (the identity of the multiplication). An equation v = w 
can be rewritten v.w~^ = e and then corresponds to a cycle in the graph. There 
are two kinds of cycles in the graph: the cycles that are present in all Gayley graphs 
and corresponding to group laws (intuitively: a backtracking path like b.a.a~^ ,b~^) 
and closed paths specific to the own group equations (e.g.: a.b~^.a~^.b). The graph 
connexity (there is always a path going from P to Q) is equivalent to say that there is 
always a solution x to equation P.x = Q. 



the discrete space spawned by Q acting on itself is conveniently described by the 
Cayley graph associated to the presentation. See figure 6 for a dictionary between 
graph theory and group related concepts. 

Group Indexed Data Structure. A GBF is an extension of the notion of array, 
where the elements are indexed by the elements of a group [GMS95, GMOla]. A 
GBF value g of type is a partial function with a finite definition domain^ that 
associates a value to some group elements. The group elements are the places of 
the collection. Thus the empty GBF is the everywhere undefined function. The 
acronym GBF stands for Group Based Datafield. The formalization of a data 
structure as a function is not new; it constitutes for instance, the foundation 
of the theory of data fields [Lis93] and is heavily used in [GiaOO] . In computer 
science, it is common to think about a function as a rule to be performed in order 
to obtain a result starting from an argument: this is the intensional notion of 
functions. Here, we better rely on the extensional notion: a function is a set of 
pairs relating the argument and the result. This is closer to the concept of a 
data structure: for instance, an array tabulates the relationship between the set 

^ The definition domain of g is the subset of Q of the elements having a well defined 
image by g. 
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of indices and the array elements and a GBF tabulates the relationship between 
the set of places Q and their values (this is why GBFs are required to have a 
finite definition domain) . We insist that the view of data structures as functions 
is only logical and appears only at the level of the data structure definition. It 
does not assume anything on the data structure implementation. 

GBF in MGS. Here is an example. The finite presentation 
gbf Grid2 = < north, east > 

introduces in MGS (see section 4) a new collection type called Grid2, corre- 
sponding to the Von Neumann neighborhood in a classical array (a cell above, 
below, left or right - not diagonal) see figure 7. The two names north and east 
refer to the directions that can be followed to reach the neighbors of an element. 
These directions are the generators of the underlying group structure. The < 
and > brackets are used for the presentation of Abelian groups and to avoid the 
explicit writing of the commutation equations. In this presentation, there is no 
explicit equation (beside the implicit commutation of the generators): Grid2 is 
a free Abelian group. 

The following declaration defines a non-free Abelian group: 

gbf Hexagon = <east, north, northwest; east + north = northwest > 

The Gayley graph of Hexagon defines an hexagonal lattice that tiles the plane, 
see figure 7 and 8. Each cell has six neighbors (following the three generators 
and their inverses). The equation east + north = northwest specifies that a 
move following northwest is the same has a move following the east direction 
followed by a move following the north direction. 

Uniform neighborhood and classical data structures. Free groups with n genera- 
tors correspond to n-ary trees and Abelian GBF corresponds to twisted and cir- 
cular grids (the free Abelian group with n generators generalizes n-dimensional 
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Fig. 7. These shapes correspond to a Cayley graph of Hexagon and Grid2 with the 
following conventions: a vertex is represented as a face and two neighbors in the Cayley 
graphs share an edge in this representation. An empty cell has an undefined value. Only 
a part of the infinite domain is figured. 
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Fig. 8. Eden’s model on a grid and on an hexagonal mesh (initial state, and states 
after the 3 and the 7 time steps). The Eden’s aggregation process is a simple model of 
growth. The model has been used since the 1960’s as a model for such things as tumor 
growth and growth of cities. In this model (specifically, a type B Eden model [Ede58]), 
a 2D space is partitioned in empty or occupied cells. We start with only one occupied 
cell. At each step, occupied cells with an empty neighbor are selected, and the cor- 
responding empty cell is made occupied. This process simply described as exactly the 
same transformation for both cases: 

trans Eden = { x,<undef> / x ^ x,true } 

We assume that the boolean value true is used to represent an occupied cell, other 
cells are simply left undefined. Then the previous rule can be read: an occupied element 
X and an undefined neighbor are transformed into two occupied elements. This model 
cannot be coded by only one simple rule on a two-state cellular automata if one wants 
to avoid that two distinct occupied cells preempt the same unoccupied cell. 



arrays). Thus, GBF are able to describe in the same formalism both tree and 
array, a feature not available with regular inductive data types. 

GBF Implementations. Accessing the value associated to a group element re- 
quires the comparison of generator words modulo the equation of the GBF : this 
is the word problem for groups and it is undecidable in general. However, for 
large and interesting families of groups (e.g. free groups. Abelian groups, au- 
tomatic groups) the problem is solvable. Actually the MGS implementation is 
restricted to Abelian groups. 
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4 Topological Collections and Their Transformations 

In this section, we want to show how a declarative programming style, based 
on rules and a general notion of rewriting, can be developed on topological 
collections like the GBF presented in the previous section. The topological ap- 
proach sketched in section 2 is investigated through an experimental declarative 
programming language called MGS [GMOlc, GM02b]. MGS embeds the idea of 
topological collections and their transformations into the framework of a simple 
dynamically typed functional language. Gollections are just new kinds of values 
and transformations are functions acting on collections and defined by a specific 
syntax using rules. Functions and transformations are first-class values and can 
be passed as arguments or returned as the result of an application. MGS is an 
applicative programming language: operators acting on values combine values to 
give new values, they do not act by side-effect. In our context, dynamically typed 
means that there is no static type checking and that type errors are detected 
at run-time during evaluation. Although dynamically typed, the set of values 
has a rich type structure used in the definition of pattern-matching, rule and 
transformations. 

Transformation of a Topological Collection. The global transformation of a topo- 
logical collection C consists in the parallel application of a set of local transfor- 
mations. A local transformation is specified by a rewriting rule r that specifies 
the change of a subcollection. The application of a rewrite rule r = (3 ^ f(/3 , ...) 
to a collection C: 

1. selects a path B of C whose elements match the path pattern (3, 

2. computes a new collection B' as a function f of B and its neighbors, 

3. and specifies the insertion of B' in place of B into C. 

In the rest of this section, we first describe the topological collection types 
available in MGS beside the GBF. We introduce the notion of “Newtonian” and 
“Leibnizian” collection, because this distinction is crucial for the behavior of rule 
application. Subsection 4.2 sketches the most common pattern that can be used 
in the left hand side (l.h.s.) of a rule. Then we discuss some of the application 
strategy available in MGS. Finally, subsection 4.4 gives some simple examples of 
real MGS program. 

4.1 Newtonian and Leibnizian Collection Types 

There are several predefined collection types in MGS, and also several means 
to construct new collection types. The collection types can range in MGS from 
totally unstructured with sets and multisets to more structured with sequences 
and Abelian GBFs, Delaunay neighborhood and graphs (other topologies are cur- 
rently under development). For any collection type T, the corresponding empty 
collection is written ():T. Elements in a collection T can be of any type, including 
collections, thus achieving complex objects in the sense of [BNTW95]. The name 
of a type is also a predicate used to test if a value has this type: T(w) returns 
true only if v has type T. 
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Monoidal Collections. Set, multiset (or bag) and sequences are members of the 
monoidal collection family. As a matter of fact, a sequence (resp. a multiset) 
(resp. a set) of values can be seen as an element of the free monoid (resp. the 
commutative monoid) (resp. the idempotent and commutative monoid). The 
join operation in V* is written by a comma and induces the neighborhood 
of each element: let if be a monoidal collection, then elements x and y in E 
are neighbors iff E = u,x,y,v for some u and v. This definition induces the 
following topology: 

— for sets (type set), each element in the set is neighbor of any other element 
(because of the commutativity, the term describing a set can be reordered 
following any order); 

— for multiset (type bag), each element is also neighbor of any other (however, 
the elements are not required to be distinct as in a set); 

— for sequence (type seq), the topology is the expected one: an element not at 
the end has a neighbor at its right. 

The comma operator is overloaded in MGS and can be used to build any monoidal 
collection (the type of the arguments disambiguate the collection built). 

Newtonian and Leibnizian Collection Types. Coming back to the idea of seeing 
a data structure as a space, we can note a great difference between the “kind of 
space” involved by the GBFs and the monoidal collections. The two concepts of 
space involved by these data structure may be contrasted as follows: 

1. in a GBF, the underlying space preexists (as the Cayley graph of the finite 
presentation) and is thought as a container for the collection elements; 

2. in a monoidal collection, e.g. a set, the underlying space exists only by the 
virtue of the elements present in the collection. 

The first notion as been advocated by Newton in opposition with Leibniz and 
Huygens [Jam93]. The last attributes a positional quality to the elements. In 
this approach, there is no such things like an empty place^. 

This distinction has several impacts on the management of the data struc- 
tures. Consider the rule: 

X, y ^ X 

Intuitively it defines the erasure of an element y neighbor of an element x. This 
does not raise any difficulty in a Leibnizian collection: applied one time to a set 
with a cardinal greater than 2, this rule removes one randomly chosen element. 
However, in a Newtonian collection like an array, the erasure of y leave an empty 
cell, because the cell itself cannot disappear without breaking the neighborhood. 
The content of an empty cell is the special value <undef>. 

Another distinction is that Newtonian collections correspond to an absolute 
space, where the place can be named, denoted and used in all the collections 
with the same type. There is no such thing for a Leibnizian collection: e.g. there 
is no notion of absolute place for the element of a multiset. 

® An empty set/seq/bag is a space of a certain kind without any place, and not an 
empty space. 
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4.2 Path Patterns 

A path is a sequence of elements and thus, a path pattern Pat is a sequence or a 
repetition Rep of basic filters. A basic Slter Bfilt matches one element in a GBF. 
The grammar of path patterns reflects this decomposition: 



Pat 


II 


1 Rep Dir Pat \ Pat as id | {Pat) 


Rep 


:= Bfilt 


1 Bfilt/exp 1 Bfilt Dir+ 


Bfilt 


:= cte 


1 id 1 _ 1 <undef> 


Dir 


:= . 1 


Ui , . . . , u„> 



where cte is a literal value, id ranges over the pattern variables, exp is a boolean 
expression, and u^ is a word of generators of a GBF. The following explanations 
give a systematic interpretation for these patterns. 

literal: a literal value cte matches an element with the same value. For example, 
123 matches an element in a GBF with value 123. 
empty element the symbol <undef> matches an element with an undefined 
value, that is, an element whose position does not belong to the support of 
the GBF. The use of this basic Alter is subject to some restriction: it can 
occur only as the neighbor of a defined element, 
variable: a pattern variable a matches exactly one element with a well defined 
value. The variable a can then occur elsewhere in the rest of the rule and 
denotes the value of the matched element. 

If the pattern variable a is not used in the rest of the rule, one can spare 
the effort of giving a fresh name using the anonymous Alter _ that matches 
any element with a defined value. The position of a is accessible through the 
expression pos{x). 

neighbor: b dir p is a pattern that matches a path with first element matched 
by b and continuing as a path matched by p with the first element po such 
that Po is neighbor of b following the dir direction. The specification dir of 
a direction is interpreted as follows: 

— the comma means that po and b must be neighbors. 

— the direction |ui , . . . , u„> means that po must be a ug-neighbor or a 
ui-neighbor or ... or a, u„-neighbor of b; 

For example, x, y matches two connected elements (i.e., x must be a neighbor 
of y). The pattern 

1 |east> _ |north,east> 2 

matches three elements. The first must have the value 1 and the third the 
value 2. The second is at the east of the first and the last is at the north or 
at the east of the second. 

guard: pj exp matches a path matched by p if boolean expression exp evaluates 
to true. For instance, x , y / y> x matches two neighbor elements x and y 
such that y is greater than x. 

naming: a sub-pattern can be named using the as construct. For example, in 
the expression (1, x |north>+ , 3) as P, the variable P is binded to the 
path matched by 1 , x I north>+ , 3. 
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repetition: pattern b dir+ matches a non-empty path b dir b dir. ..dir b. If 
the basic filter 6 is a variable, then its value refers the sequence of matched 
elements and not to one of the individual values. The pattern x+ is an ab- 
breviation for “(-,+) as x" . 

Elements matched by basic filters in a rule are distinct. So a matched path 
is without self-intersection. The identifier of a pattern variable can be used only 
once in the position of a filter. That is, the path pattern x,x \s forbidden. 
However, this pattern can be rewritten for instance as: x,y/y = x. 

4.3 Substitution and Application Strategies 

Paths and Subcollections. A path pattern is used to find the occurrence of the 
specified path in a collection C. The matched path can be seen as a sequence of 
elements in C as well as a subcollection of C: the collection made of the elements 
in the path and inheriting its organization from C. Therefore, the right hand 
side (r.h.s.) can compute a sequence as well as a subcollection. If the r.h.s. is 
a sequence, then the nth element of the r.h.s. replaces the nth element of the 
matched path (this holds for Newtonian collections, Leibnizian collections are 
more flexible and allow the insertion or the deletion of elements). If the r.h.s 
is a collection, then this collection is pasted into C as a replacement for the 
matched path. The pasting operation depends of the collection kind and can be 
parameterized by giving explicit attributes to the arrow. 

For example, suppose that we want to replace each 1 in a sequence by a series 
of three 1. The corresponding rule is: 

1 1 , 1 , 1 

The behavior of the previous rule is the intended behavior. For example, applied 
to sequence 0, 1, 2, 1, Owe obtain 0, 1, 1, 1, 2, 1, 1, 1, 0. However, 
there is a possible ambiguity with a rule that replaces each 1 by only one element 
which is, unfortunately, a sequence. That is, the desired result is a sequence of 
five elements: 0, (1,1,1), 2, (1,1,1), 0 (this sequence has for elements 3 
integers and 2 sequences). This behavior is achieved by overriding the default 
pasting strategy of =J>: 

1 ={noflat}=^> 1, 1, 1 
The attribute noflat enables the desired behavior. 

Priorities and Application Order. Others attributes enable the control of the rule 
application strategy. For instance, rules can have a priority used to chose the next 
paths to match. However, the only property ensured by the MGS rewriting engine 
is the following: if no rule at all applies during the application of a transformation 
T on a collection C, then there is no occurrence in C of the paths specified by 
the l.h.s. of the rules of T. Nevertheless, if the l.h.s. of the T’s rules specify only 
paths of length one, an additional property is satisfied: these rule are applied in 
a maximal parallel manner. For example 
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X f(a;) 

is a rule that implements a polytypic map f : this rule replaces each element x of 
a collection by f ix) , for any collection type. 

Iterations and Fixpoints. A transformation T is a function like any other func- 
tion and a first-class value. For instance, a transformation can be passed as an 
argument to another function or returned as a result. It allows to sequence and 
compose transformations very easily. 

The expression T(c) denotes the application of one transformation step of 
the transformation T to the collection c. As said above, a transformation step 
consists in the parallel application of the rules (modulo the rule application’s 
features). A transformation step can be easily iterated: 

T[n] (c) denotes the application of n transformation steps to c 
r[fixpoint] (c) application of T until a fixpoint is reached 
T[f ixrule] (c) idem but the fixpoint is detected when no rule applies 



4.4 Simple Examples 

The path pattern language introduced above is largely enough to code the ex- 
amples of figures 1, 2, and 3. We present the first three algorithms. 

The transformation: 

trans BeadSort = { empty |north.> 1 1 , empty } 

is applied on a Grid2. The constant empty is used to give a value to an empty 
place and the constant 1 is used to represent an occupied cell. The l.h.s. of 
the only rule of the transformation BeadSort selects the paths of length two, 
composed by an occupied cell at north of an empty cell. Such a path is replaced 
by a path computed in the r.h.s. of the rule. The r.h.s. in this example computes 
a path of length two with the occupied and the empty cell exchanged. Indeed, 
the comma in the MGS expression at the r.h.s. of a rule"^ is used to build a 
sequence by listing its elements. 

The transformation BubbleSort acts on a sequence. Although the sequence 
collection type can be specified as a GBF with only one generator, the sequence 
type is predefined in MGS and has specific properties (see section 4.1). The 
transformation is defined as: 

trans BubbleSort = { x,y / x>y y,x } 

This is not really a bubble sort because swapping of elements can take at arbi- 
trary places; hence an out-of-order element does not necessarily bubble to the 
top in the characteristic way. 

^ A comma is also used in a path expression to denote the neighborhood relationship 
between two elements in a collection in the l.h.s. The two usages agree, because in 
the sequence a, b the elements a and b are neighbors. 
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The two previous examples do not create new elements in the collection. 
The Erastothene transformation computes the ordered sequence of the prime 
integers. Each element i in the sequence corresponds to the previously computed 
tth prime Pi and is represented by a record {p = Pi}. This element can receive 
a candidate number n and is then represented by a record {p = , a = n}. If 

the candidate passes the test, then the element transforms itself to a record r = 
{x = Pi, b = n}. If the right neighbor of r is of form {x = Pi+i}, then the 
candidate n skip from r to the right neighbor. When there is no right neighbor 
to r, then n is prime and a new element is added at the end of the sequence. 
The first element of the sequence is distinguished and generates the candidates. 
Accordingly, the Erastothene transformation consists in 6 rules named generel , 
genere2, testl, test2, pass and create: 



trans Erastothene = { 

generel: n/int(n), <undef> n, {x=n} 

genere2: n/int(n), {p=a:, ~a, ~b} n, 

testl: {p=;tj a=J/j ~b} / y mod x == 0 

test2: {p=^t, a=y , ~b} / y mod x <> 0 

pass: {p=xl, h=y} , {p=a;2, ~a, ~b} 

create: {p=a^> b=j/}, <undef> {p=a;}, 

} 



The pattern {p=a;, a=y, ~b} matches a record with 
of this field is binded to x), a field a and no field b. 
<undef> matches a path reduced to a single integer 
right of this integer) . Consequently, it matches the end 
is an integer). The rule generel is used only once, at 
transformation is applied to the sequence singleton 2 , 



{x=n} 

{p=a;} 

^ {p=a;, h=y] 

{p=ccl}, {p=x2, a=y} 
{P=2/} 

a field p (and the value 
The pattern n / int (n) , 
(there is nothing at the 
of a sequence (if this end 
the beginning, when the 
():seq. 



5 Application to the Modeling of Dynamical Systems 
with a Dynamic Structure 

Our topological approach is motivated by some considerations internal to com- 
puter science, and also by the needs expressed by some application domains. A 
target application domain for MGS is the modeling and simulation of dynam- 
ical systems (DS) and especially DS that exhibit a dynamic structure ((DS)^). 
This kind of dynamical systems is very challenging to model and simulate. New 
programming concepts must be developed to ease their modeling and simulation. 

Dynamical Systems with a Dynamical Structure. Intuitively, a dynamical system 
is a formal way to describe how a point (the state of the system) moves in the 
phase space (the space of all possible states of the system). It gives a rule, the 
evolution function, telling us where the point should go next from its current 
location. There exist several formalisms used to describe a DS: ordinary differ- 
ential equations (ODE), partial differential equations (PDE), iterated equations 
(finite set of coupled difference equations), cellular automata, etc., following the 
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discrete or continuous nature of the time, the space and the value used in the 
modeling. 

Many DS systems are structured, which means that they can be decomposed 
into parts and sometimes the whole state s of the system is simply the product 
of the state of these parts. The evolution of the state of the whole system is then 
viewed as the result of the changes of the state of its parts. In this case, the 
evolution function hi of a the state of a part Oi depends only on a subset {oi^ } 
of the state variables of the whole system. In this context, we say that the DS 
exhibits a static structure if: 

1. the state of the system is statically described by the state of a fixed set of 
parts and this set does not change in time; 

2. the relationships between the state of the parts, specified as the functions hi 
between Oi and the arguments , are also fixed and do not change in time. 

Moreover, we say that the Oi^ are the logical neighbors of Oi (because very often, 
two parts of a system interact when they are physical neighbors) . This situation 
is simple and arises often in elementary physics. For example, a falling stone is 
statically described by a position and a velocity and this set of variables does 
not change (even if the value of the position and the value of the velocity change 
in the course of time) . 

As pointed out by [GGMP02], many biological systems can be viewed as a 
dynamical system in which not only the values of state variables, but also the 
set of state variables and/or the evolution function, change over time. We call 
these systems dynamical systems with a dynamic structure following [GMOlc], or 
(DS)^ in short. An obvious example is given by the development of an embryo. 
Initially, the state of the system is described solely by the chemical state oq 
of the egg (no matter how complex this chemical state can be). After several 
divisions, the state of the embryo is given not only by the chemical state Oi 
of the cells, but also by their spatial arrangement®. The number of cells, their 
spatial organization and their interactions evolve constantly in the course of the 
development and is not handled by one fixed structure O. On the contrary, the 
phase space 0(t) used to characterize the structure of the state of the system at 
time t must be computed jointly with the running state of the system. In this 
kind of situation, the dynamic of the whole system is often specified as several 
local competing transformations occurring in an organized set of simpler entities. 
The organization of this set is subject to possible drastic changes in the course 
of time and is a plain part of the state of the DS. 

The MGS approach. The main idea to model (DS)^ is to follow an approach 
developed recently by several authors [FMPOO, ManOl, EKL+02b, EKL+02a]. 
The point is to use rewriting rules to model the parts of the system in interaction. 

® The neighborhood of each cell is of paramount importance to evolution of the system 
because of the interplay between the shape of the system and the state of the cells. 
The shape of the system has an impact on the diffusion of the chemical signals and 
hence on the cells state. Reciprocally, the state of each cell determines the evolution 
of the shape of the whole system. 
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More specifically, we want to use an MGS topological collection S to represent 
the state of a dynamical system at a given time. The elements in the collection 
represent either entities (a subsystem or an atomic part of the dynamical system) 
or messages (signal, command, information, action, etc.) addressed to an entity. 

A path or a subcollection in S represents a subset of interacting entities 
and messages in the system. The evolution of the system is achieved through 
transformations, where the l.h.s. of a rule typically matches an entity and a 
message addressed to it, and where the r.h.s. specifies the entity’s updated state, 
and possibly other messages addressed to other entities. 

If one uses a multiset organization for the collection, the entities interact in 
a rather unstructured way. More organized topological collections are used for 
more sophisticated spatial organizations and interactions (like GBFs or Delau- 
nay). 

More generally, many mathematical models of objects and processes are 
based on a notion of state that specifies the object or the process by assigning 
some data to each point of a physical or abstract space. The MGS programming 
language is designed to support this approach offering several mechanisms to 
build complex and evolving spaces and handling the maps between these spaces 
and the data. 

In the rest of this section we present three examples involving various topol- 
ogy. The first one involves the use of sequences and multisets and is related to 
the cleavage of DNA strings floating in a chemical solution. The second example 
uses an hexagonal lattice to discretize the 2D formation of a snowflake. The last 
one sketch the trajectory of cells attracted by some neighbors. This example in- 
volves a dynamic topology computed as the result of the Delaunay triangulation 
of a set of points in Euclidean space. 

5.1 Restriction Enzymes 

This example shows the ability to nest different topologies to achieve the model- 
ing of a biological structure. We want to represent the action of a set of restriction 
enzymes on the DNA. The DNA structure is simplified as a sequence of letters 
A, C, T and G. The DNA strings are collected in a multiset. Thus we have to 
manipulate a multiset of sequences. The following declarations: 

collection DNA = seq; ; 

collection TUBE = bag; ; 

introduce a subtype called DNA of seq and a subtype of multisets called TUBE. 

A restriction enzyme is represented as a rule that splits the DNA strings; for 
instance a rule like: 

EcoRI = X+, ("G","A","A","T","T","C") , Y+ 

^ (X,"G") :: ("A","A","T","T","C",Y) :: ():TUBE ; 

stands for the EcoRI restriction enzyme with recognition sequence G'AATTC (the 
point of cleavage is marked with "). The X+ pattern filters the part of the DNA 
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string before the recognition sequence. Identically, Y names the part of the string 
after the recognition sequence. The r.h.s. of the rule constructs a TUBE containing 
the two resulting DNA subsequences (the : : operator indicates the “consing” of 
an element at the head of a sequence). 

We need an additional rule Void for specifying that a DNA string without 
a recognition sequence must be inserted wrapped in a TUBE. The two rules are 
collected into one transformation: 



trans Restriction = { 

EcoRI = . . . ; 

Void = X+ X : : ():TUBE ; 

} 

The rule specification order in a transformation is taken into account, and so, 
the rule Void is used only if rule EcoRI cannot be applied. In this way, the result 
of applying the transformation Restriction on a DNA string is systematically a 
sequence with only one element which is a TUBE. 

The transformation Restriction can then be applied to the DNA strings floating 
in a TUBE using the simple transformation: 

trans React = { dna ^ hd (i?estrzctzon (dna) ) } 

The operator hd gives the head of the result of the transformation Restriction, 
i.e. a TUBE containing one or two DNA strings. These elements are then merged 
with the content of the enclosing TUBE. The transformation can be iterated until 
a flxpoint is reached: 



React [f ixpoint] ( ( 

( " C ” " C ” C " ” G 
("T" , "T" , "G" , "A" 
():TUBE ));; 




"A",():DNA), 

"G",():DNA), 



returns a tube with four DNA strings: 

("T","T","G", ():DNA) , 
("C","C","C","G",():DNA), 

("A" , "A" , "T" , "T" , "C" , "A" , "A" , ():DNA) , 

("A" , "A" , "T" , "T" , "C" , "G" , "G" , "G" , ():DNA) , 
():TUBE 



5.2 The Formation of a Snowflake 

A crystal forms when a liquid is cooled below its freezing point. Crystals start 
from a seed and then grows by progressively adding more molecules to their 
surface. As an idealization, the molecules of a snowflake lie on an hexagonal grid 
and when a piece of ice is added, to the snowflake, the heat released by this 
process inhibits the addition of ice nearby. 

This phenomenon leads to the following cellular automata rule [Wol02]: a 
black cell (value 1) represents a place of the crystal filled with ice and a white cell 
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Fig. 9. Formation of a snowflake. See section 5.2 for the explanation. The transfor- 
mation acts on a GBF Hexagon (cf. sec. 3). The pictured states are the step at time 
steps 1, 4, 8, 12, 16, 18, 20 and 23. 



(value 0) is an empty place. A white cell becomes black if it has exactly one black 
neighbor, otherwise it remains white. The corresponding MGS transformation is: 

trans SnowFlake = { 

0 as cc / 1 == FoldNeighbor[\y.\acc.y+acc, 0] (x) 1 

} 

The construct FoldNeighbor is not a function but an operator available only 
within a rule: it enables to fold a function on the defined neighbors of an element 
matched in the l.h.s. Here, this operator is used to compute the number of 
neighbors (parameter y enumerates the neighbors and parameter acc acts as 
an accumulator). This transformation acts on a value of type Hexagon and a 
possible run is illustrated in figure 9. 



5.3 System of Moving Cells Linked by Spring-Like Forces 

We want to model the trajectory of a set of cells. A cell moves because it is 
attracted by its immediate neighbors (for example because the limited diffu- 
sion of a chemical that creates a gradient). The problem is that, due to the 
cell movements, the immediate neighbors of a cell can change. We use a De- 
launay triangulation to compute the neighborhood of the cells. The Delaunay 
triangulation of a point set is a collection of edges satisfying an “empty circle” 
property: for each edge we can find a circle containing the edge’s endpoints but 
not containing any other points. 

In MGS, we start by defining the type of the value that represents a cell: 

record Position = { x: float, y: float, z: float };; 
record Cell = Position + {l};; 

specify two record types, the first having the fields x, y and z, and the second 
having a field 1 in addition. The 1 field is used to associate an attractive force 
to each cell. 
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We then define a Delaunay collection type. The specification: 

collection delaunay(3) D3 = 

\e.if Position(e) 

then (e.x, e.y, e.z) 

else ?("bad element type for D3 delaunay type") fi ;; 

defines a new Delaunay collection type in 3 dimensions. The type, called D3, is 
parameterized by a user function that extracts from each element in the collec- 
tion, an abstract coordinate. In this example, the coordinate are simply stored 
in the value that represents a cell and the function simply check that the cell’s 
value has a correct type and returns its coordinate (as a sequence of 3 floats). 

We assume that the interaction between two cells is computed by a function of 
two arguments called interaction. Then, the following MGS program fragment: 

epsilon = 0.05;; 

fun add(u, v, e) = 

u + { X = u.x + e*v.x, y = u.y + e*v.y, z = u.z + e*v.z };; 

fun sum(x, u, acc) = add(acc, interaction(x,u) , epsilon);; 

trans evol = { 
c 

add(c, FoldNeighbor [sum(x) , {x=0,y=0,z=0,l=c.l}] (c) , epsilon) 

defines evol, the system’s evolution function. The function add takes two records 
u and V and a float e. The result is a record containing all the fields of u but 
where the fields x, y and z have been updated by a linear combination of the 
corresponding fields in u and v. The function sum adds to its first argument, 
the interaction between two cells. This function is called in the FoldNeighbor 
construct appearing in the transformation evol. This transformation compute 
the sum of the interaction between a cell c and a neighbor cell; this sum is then 
used to change the state of the cell c. 

The result of 250 iteration steps of this program, assuming an interaction 
function computing a force corresponding to a spring parameterized by the 1 
observable, is showed at figure 10. 

Delaunay collections are Leibnizian, so it is easy to extend the model to take 
into account cellular division and death. 

6 Related Works, Current Work and Future Work 

The topological approach we have sketched here is part of a long term research 
effort [GMS95] developed for instance in [GiaOO] where the focus is on the sub- 
structure, or in [GMOla] where a general tool for uniform neighborhood defi- 
nition is developed. In this research program, a data structure is viewed as a 
space where some computation occurs and moves in this space. The notion of 
neighborhood is then used to control the computations. 
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Fig. 10. Each sphere in the picture above corresponds to a cell attracted by its neigh- 
boring cells by a spring. The neighborhood of a cell is computed dynamically using a 
Delaunay triangulation built from the cells position. At each time step, this neighbor- 
hood can change. The first picture is the initial state and shows the neighborhood using 
links between the cells. The second picture shows the final state, when the system has 
reached an equilibrium (each “tube” in this picture represents the successive positions 
of a cell). In MGS, the Delaunay collection type is a type constructor corresponding 
to the building of collections with a neighborhood computed from the positions of the 
elements in a d-dimensional Euclidean space. 



Related Works. Seeing a computation as a path in some abstract space is hardly 
new: the representation of the execution of a concurrent program as a trajectory 
in the Cartesian product of the sequential processes dates back to the 60’s (in 
this representation, semaphore operations create topological obstructions and 
one can study the topology of theses obstructions to decide if a deadlock may 
occur). However, note that the considered space is based on the control structure, 
not on the involved data structure. 

In the same line, the methods for building domains in denotational semantics 
have clearly topological roots, but they involve the topology of the set of values, 
not the topology of a value. 

Transformation on multiset is reminiscent of multiset-rewriting (or rewriting 
of terms modulo AC). This is the main computational device of Gcunma [BM86, 
BCM87], a language based on a chemical metaphor; the data are considered as 
a multiset M of molecules and the computation is a succession of chemical reac- 
tions according to a particular rule. The CHemical Abstract Machine (CHAM) 
extends these ideas with a focus on the expression of semantic of non determinis- 
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tic processes [BB90] . The CHAM introduces a mechanism to isolate some parts 
of the chemical solution. This idea has been seriously taken into account in the 
notion of P systems. P systems [Pau98, PauOl] are a new distributed parallel 
computing model based on the notion of a membrane structure. A membrane 
structure is a nesting of cells represented, e.g, by a Venn diagram without inter- 
section and with a unique superset: the skin. Objects are placed in the regions 
defined by the membranes and evolve following various transformations: an ob- 
ject can evolve into another object, can pass trough a membrane or dissolve its 
enclosing membrane. As for Gamma, the computation is finished when no object 
can further evolve. By using nested multisets, MGS is able to emulate more or 
less the notion of P systems. In addition, patterns like the iteration + go beyond 
what is possible to specify in the l.h.s. of a Gamma rule®. 

Lindenmayer systems [Lin68] have long been used in the modeling of (DS)^ 
(especially in the modeling of plant growing) . They loosely correspond to trans- 
formations on sequences or string rewriting (they also correspond to tree rewrit- 
ing, because some standard features make particularly simple to code arbitrary 
trees, cf. the work of P. Prusinkiewicz [PLH+90, PH92]). Obviously, L systems 
are dedicated to the handling of linear and tree-like structures. 

There exists strong links between GBF and cellular automata (CA), es- 
pecially considering the work of Z. Roka which has studied CA on Cayley 
graphs [R6k94]. However, our own works focus on the construction of Cayley 
graphs as the shape of a data structure and we develop an operator algebra and 
rewriting notions on this new data type. This is not in the line of Z. Roka which 
focuses on synchronization problems and establishes complexity results in the 
framework of CA. 

Formalizations and Implementations. A unifying theoretical framework can be 
developed [CMOlb, GM02b], based on the notion of chain complex developed 
in algebraic combinatorial topology [Hen94]. The topology needed to describe 
the neighborhood in a set or a sequence, or more generally the topology of 
the usual data structures, are fairly poor. However, the topological framework 
unifies various situations (see the paragraph above). Nevertheless, we do not 
claim that we have achieved a useful theoretical framework encompassing the 
previous paradigms. We advocate that few (topological) notions and a single 
syntax can be consistently used to allow the merging of several formalisms (CA, L 
systems, P systems, etc.) for programming purposes. All the examples presented 
here are running with one or the other of the two existing MGS interpreters. A 
new version of the interpreter is currently developed, written in DCAML (a dialect 
of ml): please visit the MGS home page: http://mgs.lami.univ-evry.fr. 

Perspectives. The perspectives opened by this preliminary work are numerous. 
We want to develop several complementary approaches to defines new topologi- 
cal collection types. One approach to extend the GBF applicability is to consider 

® For example the rule “a;+ /n==length(a:) ?(r)” can be used on a graph with n 
vertices to print an Hamiltonian path (function ? print its argument and function 
length gives the length of a sequence). 
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monoids instead of groups, especially automatic monoids which exhibit good al- 
gorithmic properties. Another direction is to handle general combinatorial spatial 
structures like simplicial complexes or G-maps [Lie91]. At the language level, the 
study of the topological collections concepts must continue with a finer study 
of transformation kinds. Several kinds of restriction can be put on the transfor- 
mations, leading to various kind of pattern languages and rules. The complexity 
of matching such patterns has to be investigated. The efficient compilation of a 
MGS program is a long-term research. We have considered in this paper only one- 
dimensional paths, but a general n-dimensional notion of path exists and can be 
used to generalize the substitution mechanisms of MGS. From the applications 
point of view, we are targeted by the simulation of more complex developmental 
processes in biology [GGMP02]. 

To conclude, I want to promote the use of topological notions in computer 
science. The work sketched here is a modest step in this direction. I use the 
qualifier modest because the notions used here rely on very elementary notions 
taken in the domain of combinatorial algebraic topology. We do not use deep 
theorems but rather fundamental definitions that structure the field and clarify 
the objects and mechanisms to manage. This is why I want to advocate the 
development of alternative topological approaches of computation, confident on 
their heuristic, technical and pedagogical virtues. 
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Abstract. We prove that linear second-order matching in the linear A- 
calculus with linear occurrences of the unknowns is NP-complete. This 
result shows that context matching and second-order matching in the 
linear A-calculus are, in fact, two different problems. 



1 Introduction 

Higher-order unification, which consists in solving a syntactic equation between 
two simply- typed A-terms (modulo /3, or modulo /???), is undecidable [9], even in 
the second-order case [7]. Consequently, several restrictions of the problem have 
been introduced and studied in the literature(see [6] for a survey). 

Higher-order matching is such a restriction. It consists in solving equations 
whose right-hand sides do not contain any unknown. This problem, which is 
indeed simpler, has been shown to be decidable in the second-order case [10], 
in the third-order case [5], and in the fourth order case [13]. Starting form the 
sixth-order case, higher-order matching modulo (3 is undecidable [12]. On the 
other-hand the decidability of higher-order matching modulo l3rj is still open. 

Another restriction consists in studying unification in the linear A-calculus 
where every A-abstraction Xx. M is such that M contains exactly one free oc- 
currence of X. The problem of unification in the linear A-calculus, in the second 
order case, is related to context unification [1,2], which consists of unifying trees 
in which occur second-order variables (z.e., variables ranging on “trees with 
holes”). It has been studied by Levy under the name of linear second-order uni- 
fication [11]. Nevertheless, its decidability is still open. On the other hand, the 
more restricted problem of higher-order matching in the linear A-calculus has 
been shown to be decidable and even NP-complete [8] which is also the case of 
context matching [15]. A related problem consists in deciding whether a match- 
ing problem between simply typed A-terms admits a linear solution. This more 
general problem is also decidable [4]. 

Finally, several other restrictions concern the way the unknowns occur in the 
equation. In particular, another notion of linearity appears in the literature. In- 
deed, linear unification (or matching) also designates equations whose unknowns 
occur only once. 
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In this paper, we will be concerned with these two different notions of linearity 
(equations between linear A-terms, or linear occurrences of the unknowns). In 
order not to confuse them, we will speak of matching in the linear X-calculus, 
in the first case, and we will use the expression linear matching for the second 
case. This question of vocabulary being settled, we may state our main result: 
linear second-order matching in the linear X-calculus is NP-complete. Such a 
complexity, at first sight, might be surprising. Indeed, it seems to be folklore 
that context matching and second-order matching in the linear A-calculus are 
equivalent problems. Our result, however, shows that this is not quite the case. 
Indeed, linear context matching is polynomial [15]. 

In fact, the key difference between a context C[xi, . . . , x„] and a second-order 
A-term is the following : in a linear A-term Xx \ . . . Xn-C, the order in which the 
A-variables are abstracted does not especially correspond to the order in which 
these variables occur in the body of the term. This slight difference is sufficient 
to make our problem NP-complete while linear context matching is polynomial. 

The paper is organized as follows. Section 2 contains prerequisite basic no- 
tions, and defines precisely what is linear second-order matching in the linear 
A-calculus. In Section 3, we define a variant of the satifiability problem (which 
we call 1-neg-sat), and we prove its NP-completeness. Section 4 shows how to 
reduce 1-neg-sat to linear second-order matching in the linear A-calculus, and 
Section 5 proves the correctness of the reduction. Finally, in Section 6, we state 
some related results. 

2 Higher-Order Matching in the Linear A-Calcnlus 

This section reviews basic definitions and fixes the notations that we use in the 
sequel of the paper. 

Definition 1. Let A he a finite set, the elements of which are called atomic 
types. The set T o/ linear functional types built upon A is defined according to 
the followinq grammar: 



We let the lowercase Greek letters {a, /3, 7 , . . .) range over if, and we adopt 
the usual convention that ai^a 2 ^ - ■■ an ^ a stands for ai^{a 2 ^{- ■ ■ {an —o 
a) ■ ■ ■ )), and we write a” — o /3 for: 

a — o . . . — o a —0/3 

' V " 

nx 

The order of such a linear functional type is defined as usual: 
order(a) = 1 if a G ^ 

order(a — o /3) = max(order(a) -|- l,order(/3)) 



Then, the notion of raw A-term is defined as follows. 
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Definition 2. Let be a family of pairwise disjoint finite sets indexed 

by T , whose almost every member is empty. Let o,nd {ya)a£j^ be 

two families of pairwise disjoint eountably infinite sets indexed by T , such that 
(Uae:^ 3 ^q) = 0 . The set T of raw X-terms is defined according to 

the following grammar: 

r ::= s \ X \ y \ XX. r \ (rr), 

where S = A" = and y = ■ 

In this definition, S is the set of constants, X is the set of X-variables, and 
y is the set of meta-variables or unknowns. We let the lowercase roman letters 
(a, b, c, . . .) range over the constants, the lowercase italic letters (x, y,z, . . .) range 
over the A-variables, the uppercase bold letters (X,Y,Z,...) range over the 
unknowns, and the uppercase italic letters (M, N,0, . . .) range over the A-terms. 

We write h{Mi, . . . , Mn) for a A-term of the form {{. . .{h Mi) . . .) M„), where 
h is either a constant, a A-variable, or a meta-variable. Given such a term, h is 
called the head of the term. 

The notions of free and bound occurrences of a A-variable are defined as 
usual, and we write FV(M) for the set of A-variables that occur free in a A-term 
M. Finally, a A-term that does not contain any meta-variable is called a pure 
X-term. 

We then define the notion of term of the linear A-calculus.. 

Definition 3. The family {Ta)a^j^ of sets of terms of the linear X-calculus is 
inductively defined as follows: 

1. if a, € Ea then a € Ta,' 

2. iflK.£ ya then X. G Tat 

3. if X G Xa then x G Tat 

4 . if X G Xa, M G Tp, and x G FV(M), then Xx. M G T(a^p)i 

5. if M G T(a-op), N GTa, andFY{M)(lFY{N) = 0, then {MN)GTp. ■ 

Clauses 4 and 5 imply that any term Xx. M of the linear A-calculus is such 
that there is exactly one free occurrence of x in M . Remark, on the other hand, 
that constants and unknowns may occur several times in the same linear A-term. 

We define the set of terms of the linear A-calculus to be easily 

proves that the sets {Ta)aeJ^ are pairwise disjoint. Consequently, we may define 
the type of a term M to be the unique linear type a such that M G 7a. This 
allows the order of a term to be defined as the order of its type. In particular, 
we will speak about the order of a meta-variable. 

The notions of a-conversion, 77 and /3-reduction are defined as usual. In par- 
ticular, we write — for the relation of /3-reduction, and =p for the relation of 
/3-conversion. 

We let M[x:=N] denote the usual capture-avoiding substitution of a A- 
variable by a A-term. Similarly, M[X:=/V] denotes the capture-avoiding substi- 
tution of a meta-variable by a A-term. We abbreviate M[xi:=Ni] ■ ■ ■ [x„:=3V„] 
as M[xp.=Ni\'^^.^. 
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We now give a precise definition of the matching problem with which we are 
concerned. 

Definition 4. A matching problem in the linear A-calculus is a pair of terms 
of the linear X-calculus (M,N) of the same type such that N is pure (i.e., does 
not contain any meta-variahle) . 

Such a problem admits a solution if and only if there exists a substitution 
such that =fj N, where {Xi,...,X„} is the set of 

meta-variables that occur in M. ■ 

In the above definition, we have taken the relation of /3-conversion to be the 
notion of equality between A-terms. Nevertheless, all the results we will establish 
remain valid when taking the relation of /3r/-conversion as the notion of equality. 

In the sequel of this paper, a pair of A-terms (M, N) obeying the conditions 
of the above definition will also be called a syntactic equation. The order of such 
an equation is defined to be the maximum of the orders of the meta-variables 
occurring in left-hand side the equation. Finally, such an equation is said to be 
linear if the meta-variables occurring in its left-hand side occur only once. 

In this paper, we will mainly be concerned with linear second-order matching 
in the linear A-calculus, i.e, the problem of solving a linear second-order syntactic 
equation between terms of the linear A-calculus. 



3 1-Neg-sat 

In this section, we define a variant of the satisfiability problem, due to Kilpelainen 

[14]. 

We first remind the reader of some basic definitions. Given a finite set 
A = {oi, . . . , On} of boolean variables, a literal is defined to be either a boolean 
variable or its negation -•Oi. A clause is a finite set of literals, and a satisfia- 
bility problem consists in a finite set of clauses. A positive literal ai is satisfied 
by a valuation 77 : A — >■ {0, 1} if and only if T]{ai) = 1, and a negative literal 
-<ai is satisfied if and only if 77(0*) = 0, in which case we also write rj(-'ai) = 1. 
Then, a satisfiability problem C admits a solution if and only if there exists a 
valuation 77 : A — >■ {0, 1} such that for all C G C there exists I G C with r]{l) = 1. 
As is well known, satisfiability is NP-complete [3]. 

We now introduce the variant of the satisfiability problem that we call 1-neg- 

sat. 

Definition 5. Let A be a finite set of boolean variables, and C be a finite set of 
clauses over A. C is called a 1-neg-sat problem if and only if for all a G A, there 
exists exactly one C G C such that ~<a G C. ■ 

The next result is due to Kilpelainen [14]. 



Lemma 1. 1-Neg-sat is NP-complete. 
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Proof. We show that any satisfiability problem can be reduced to a 1-neg-sat- 
problem. 

Let C be a finite set of clauses over the set of boolean variables {ai,. . .,a„}. 
We introduce a set B = {6i, . . . , 6„} of fresh boolean variables, and we define 
T> to be the set of clauses Ur=i{{®*’ Clearly, any valuation 77 
that satisfies T> is such that 77(07) = 0 if and only if 77(67) = 1. Conversely, any 
valuation 77 such that 77(07) = 0 if and only if 77(67) = 1 satisfies T>. 

Then we define C* as the set of clauses obtained from C by replacing each 
occurrence of -'O7 by 67. By construction, C*U'D is a 1-neg-sat problem. Moreover, 
any valuation that satisfies this problem satisfies C. Conversely, given a valuation 
77 that satisfies C, the valuation 77' such that rj'{ai) = 77(07) and rj'{bi) = -177(07) 
satisfies C* \JT>. □ 



4 Reduction of 1-neg-sat 



In this section we show how to associate to any 1 -neg-sat problem a linear second 
order syntactic equation in the linear A-calculus. 

Let C = {Cl, . . . , Cm} be a 1 -neg-sat problem defined over the set of boolean 
variables A = (oi, . . . , o„}. We define neg : M — >■ C to be the function such that: 

neg(o7) = Cj if and only if -107 G Cj. 

Similarly, we define pos : A — >■ P{C) such that: 

pos(o7) = {Cj G C I O7 G Cj}. 

For each i G |l,...,n}, let 777,7 be the cardinality of pos(o7), and define ipi : 
{ 1 , . . . , 7777} — >■ ( 1 , . . . , 777} to be a function such that: 



pOs(o7) — {C^^(l), ■ • ■ , Cjj^ijYnf} . 

In case 7777 = 0, by convention, 7/77 is defined to be the empty function. 

Now, let o be an atomic type. In order to define the syntactic equation 
associated to C, we introduce the following constants and meta- variables: 

1. a constant a of type o; 

2. a constant / of type o” ^ o; 

3. for each clause C G C, a constant C of type o'" ^ o; 

4. a meta-variable X of type o'" ^ o; 

5. 777^ meta- variables Xu, . . . , Xim, . . . , X^i, • ■ • , X^m of type o. 

For (i,j) G (1; • . • , 77 } X {1, . . . , 777 }, we define the following terms: 



Rij — 



Cjj.Q){a , . . . ,a) if j < 7777 
a otherwise. 



Then, for i G ( 1 , . . . , 77}, we define: 



Bi HOg((J7) (l?7i , . • . , Rim) 
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Finally, the syntactic equation (Lc,Rc), associated to C, is defined as follows: 
Lc = X(^(Xn 

Rc = f{Ri, ■■ ■, Rn) 

Let us illustrate the above reduction by an example. Consider the following 
clauses: 

Cl = {ai},C2 = {ai,02},C3 = {-■ai,-'a2} 

to which we associate the constants Ci, C2, and C3 of type o — o o — o o — o o, 

respectively. We have neg(ai) = C3, neg(o2) = C3, pos(oi) = {Ci,C2}, and 

pos(a2) = {C2}. If ■0i(l) = 1) V’i(2) = 2 and ■i/'2(l) = 2, the terms Rij are the 
following: 

Rii = Ci(n, a, (j) .1^12 “ C2(n, n,u) .^13 — a 

i?2i = C2(a, a, a) R22 = o R^z = 0, 

Hence, the syntactic equation associated to this 1-neg-sat problem is as follows: 
Lc = X(CT(Xn,Xi2,Xi3), ^(X21,X22,X23), ^(X31,X32,X33)) 

Rc = /(C 3 (Ci(a,a,a),C 2 (a, a,a),a), C 3 (C 2 (a, a, a), a, a)) 

The intuition behind this reduction is the following. If the syntactic equation 
admits a solution, the term substituted for X must be of the form: 

Axi . . . XjYi .f (»5'l , . . . , Sn') 

where each term Si is either some A- variable Xk, or some application of the form: 

neg(ui) , . . . , Sijn). 

The first case corresponds to a boolean variable Oj such that r](ai) = 0, while 
the second case corresponds to a boolean variable ai such that 77(0^) = 1. 

Back to our example, one sees that the given equation admits the following 
solution: 

{ X := AxiX2X3./(c3(xi,X2,a), X3) 

X31 := 02(0,0,0) 

Xij := o for z yf 3 or j yf 1 

which corresponds, indeed, to the only valuation that satisfies C, namely, the 
valuation zy such that 77(01) = 1 and 77(02) = 0. 

5 Correctness of the Reduction 

Consider again a 1-neg-sat problem C = {C \, . . . , Cm} defined over the set of 
boolean variables A= {oi, . . . , o„}, and let the A-terms Rij, Ri, Lc, and Rc be 
defined as in the previous section. 

We first prove that the syntactic equation {Lc, Rc) admits a solution when- 
ever C is satisfiable. To this end, suppose that C is satisfied by a valuation r\. 
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Consequently, there exists a choice function (p that picks in each clause a literal 
that is satisfied by rj. More precisely, we defined (p : {1, . . . , m} — >■ {1, . . . , n} to 
be a function such that 



either r]{a^(^i)) = 1 and O0(q G Q, or = 0 and -■a0(i) G C*. 

Remark that this function is such that if p{i) = p{j) and = 0 then i = j. 

This is due to the constraint that a negative literal occurs in only one clause. 

Given {x\, . . . , Xm} a set of A- variables, we define the family of terms Si, for 
t G {1, . . . , n}, as follows: 



S, := 



Xj if ri{ai) = 0 and j such that p{j) = i exists 
neg(ai)(5'ii,...,S'i„) otherwise 



where, in the second case, the family of terms Sij is the following: 



Xk if il{ai) = 1 and k such that p{k) = i and Rij = Ck{a, . . . , a) exists 
Rij otherwise 



Finally, we define: 

S — Xxi . . . Xm-f , . . . , Sn) 

As we will show, the above term is the main ingredient of a solution to the 
syntactic equation {Lc, Rc)- In order to establish this fact, we first prove that S 
is indeed a A-term of the linear A-calculus. 



Lemma 2. For all j G {1, . . . ,m}, Xj G FV(S'0(j)). 

Proof. We proceed by case analysis, according to the value of 

Suppose that r]{a^(^j)) = 0. Then, by definition, we have that >S'0(j) = Xj. 
Hence, Xj G FV(S'0(j)). 

On the other hand, when ?7(a0(j)) = 1, we have, by definition of p, that 
Cj G pos(o0(j)). Consequently, there exists k such that R,p(j)k = Cj{a, . . . ,a). 
Therefore, by definition, = Xj, which implies Xj G FV(S'0(j)). □ 



Lemma 3. If Xj G FV(5'i) then p{j) = i, for any j G m} and any 

i G {l,...,n}. 

Proof. An immediate consequence of the definition of the family of terms Sj . □ 



Lemma 4. For all i G {1, . . . ,n} and all Ck G pos(oi), there exists exactly one 
j G to} such that Rij = Ck{a, . . . ,a). 

Proof. An immediate consequence of the definition of the family of terms Rij . 

□ 



Lemma 5.5'= Aa;i . . . Xm-f{Si, . . . , Sn) is a term of the linear X-calculus. 
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Proof. We have to prove that each of the A- variables Xi,...,Xm has exactly 
one occurrence in f{Si,...,Sn). By Lemma 2, we know that xi,...,Xm G 
FV(/(S'i, . . . , Sn)). Hence, it remains to show that for any j G {1, . . . , m}, Xj oc- 
curs at most once in f{Si , . . . , S„). By Lemma 3, this amounts to prove that for 
any i G {1, . . . ,n}, Xj occurs at most once in Si. So, suppose that Xj G FV(S'i). 
Then, either Xj = Si, or Xj = Sik for some k. In the second case, k is such that 
Rik = Cj{a, . . . ,a). Hence, it is unique by Lemma 4. Therefore, in both cases, 
there is only one occurence of Xj in □ 

It appears in the proof of Lemma 2 that for all i G m} either there 

exists k G n} such that Xi = Sk, or there exists k G n} and 

I G {1, ■ ■ ■ ,m} such that Xi = Su- This fact allows the family of terms (for 
L J G m}) to be defined as follows: 

rp _ \ Rkj if k such that Xi = Sk exists 

( a if A: and I such that Xi = Ski exist 

It is immediate that these terms are terms of the linear A-calculus. 

We are now in a position of establishing that the syntactic equation (Lq, Rc) 
admits a solution provided that C is satisfiable. 

Proposition 1. Let C he a 1-neg-sat problem, and (Lc,Rc) be the associated 
syntactic equation. If C is satisfiable, then (Lc,Rc) admits a solution. 

Proof. The fact that C is satisfiable allows the terms S, and T^- to be defined, 
and we prove that 

Lc[X:=Smr-=T^j]ZiT=r Rc 

Indeed, we have: 

Lc[■K■.= s][x,r■=T^,]T^lT=l 

= S(Cf{Tii , . . . , Ti^), . . . a((T^i, . . . , T,nm)) 

■ J ^n)[xj '.= CjifPji, . . . , 

Then, it remains to show that for all i G {1, . . . , n}: 

S,[Xj := . . . , = Ri 

There are two cases: 

1. Si = Xk, for some k € m}. 

In this case, we have that Tki = Ru, for all I G {1, ■ ■ • ,m}. We also have 
r]{ai) = 0 and 4>{k) = i, which implies that neg(ai) = Ck. Consequently: 

Xk [Xj . — Cj (fPjl , ■ ■ ■ , Tj'm)] j—1 — ^k[^k • — Ck (^Ril , ■ ■ ■ , Rim}] 

— Cki.Rn, ■ • ■ , Rim} 

— neg(u 2 ) , ■ • ■ , Rim} 

= Ri 
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2. S'* = neg(ai)(5'ii,...,S'i„). 

In this case, it is sufficient to show that for all /e G {1, , m}: 

S,k[xj := Q(T,i, . . . , 1 = R,k 

There are two subcases. In the case Sik = xi, for some I G {!,... ,m}, we 
have that Rik = Ci{a, . . . ,a) and Tf^j = a, for all j G m}. Therefore: 

xi[xj := Cj{Tji, . . . ,Tjm)]JLi =xi[xi := Ci{a,...,a)] 

= Ci{a, . . . ,a) 

— Rik 

Otherwise, we have Sik = Rik, and the desired property follows immediately. 

□ 

It remains to prove that C is satisfiable whenever {Lc, Rc) admits a solution. 
We first establish a technical lemma concerning the form of the possible solutions 
oi{Lc,Rc). 

Lemma 6. If the equation (Lc,Rc) admits a solution then the variable X is 
substituted by a term of the form 

Xxi . . . Xm,' f {Ul, . . . , Un) 

where the terms Ui are such that: 

1. either Ui = Xk (for some fc G {!,..., m} ), in which case neg{ai) = Cf, 

2. or Ui = neg(ai)(C/ii, . . . , Uim) where the terms Uij are such that: 

(a) either Uij = Xk (for some k G {1, . . . , m} ), in which case Ck G pos(ai), 

(b) orUij=Rij. 

Proof. Suppose that 

fX =U 

\^ij = Vij 

is a solution to the syntactic equation {Lc, Rc). Then, we must have: 

U(C({Viu...,Vim),...'^{Vml,...,V^m)) -#/3 /(i?l , . . . , i?„) 

This implies that U is indeed of the form 

Xxi . . . X,ji.f{Ui^ • • • , bin) 

where for all i G {1, . . . , n}: 

U,[xj-.= C({V,i,...,V,^)YJl^ ^0 R, 

Now, the head of each Ui is either some A- variable Xk or some constant. In the 
first case, Ui = Xk, and we must have that 



= Rj 



Ck{Vkl,...,Vkra) 
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which implies that neg(oi) = C^. In the second case, the head of Ui must be the 
head of Ri, which implies that Ui is of the form 

neg(ni) (ffji , • ■ • , tfim) 

Moreover, we must have that 

Uik[Xj := Cj(Vji, • ■ . , — 1 ^/3 Rik 

Now, if the head of Uik is some A- variable xi, we must have Uik = xi, and: 

■ ■ ■ , V/m) ~ ^ik 

This implies that Ci G pos(oi). Otherwise, we have 

Uik — Rik- 



□ 

We are now in a position of proving the second half of our reduction result. 

Proposition 2. Let C he a 1-neg-sat problem, and (Lc,Rc) be the assoeiated 
syntactic equation. If (Lc,Rc) admits a solution, then C is satisfiable. 

Proof. According to Lemma 6, if {Lc,Rc) admits a solution, then te term U 
substituted for X is of the form 



Axi . . . X,ji.f(^Ui, ■ ■ ■ , U n) 



where: 



1. either Ui = Xk, for some k € m}, 

2. or Ui = neg{a,){Uii, ..., Uim)- 



We define a valuation 77 as follows: 




0 if = Xj for some j G m} 

1 otherwise 



Now, for every clause Cj such that Xj = Ui, for some z G rz}, we have, 

by Lemma 6, that neg(oi) = Cj, i.e., ~<ai G Cj. Consequently, these clauses are 
satisfied by 77. 

As for the other clauses Ck, since C/ is a term of the linear A-calculus, 
there must exists some term Uij such that Uij = Xk. In this case, according 
to Lemma 6, Ck G pos(ai), i.e., Oi G Cfc. Consequently, these clauses are also 
satisfied by 77. □ 



As a consequence of Lemma 1, and Propositions 1, and 2, we get the main 
theorem of this paper. 



Theorem 1. Linear second-order matching in the linear X-calculus is NP-com- 
plete. 
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6 Related Results 

The main difference between a context and a linear second-order A-term is that 
the latter has the ability of rearranging its arguments in any order. This explains 
why linear second-order matching in the linear A-calculus is NP-complete while 
linear context matching is not. Nevertheless, this difference is not significant 
when the arguments of the second-order meta- variable do not contain any meta- 
variable (first-order or second-order). Consider a second-order equation of the 
form: 

X(Ti,...,T„) = T 

where Ti, . . . , T„, and T are first-order pure linear A-terms (such an equation is 
called an interpolation equation) . It is not difficult to see that it may be solved in 
polynomial time. Indeed, it amounts to check whether the union of the multisets 
of the subterms of Ti , . . . , is included in the multiset of the subterms of T. 

This polynomiality result, which is quite specific, cannot be generalized. In- 
deed, as we prove in the next proposition, interpolation in third-order case is 
NP-complete. 

Proposition 3. Third-order interpolation in the linear X-calculus is NP-com- 
plete. 

Proof. The proof consists in a reduction of 1-Neg-sat that we obtain by reducing 
the equation (Lc,Rc) (as defined in section 4) to a third-order interpolation 
equation 

Let C = {Cl, . . . , Cm} be a 1-neg-sat problem defined over the set of boolean 
variables A = {a \, . . . , a„}. We build a third-order interpolation equation (L, R) 
which has a solution if and only if the equation {Lc,Rc) has a solution. From 
Propositions 1 and 2, this is equivalent to say that (L,R) has a solution if and 
only if C is satisfiable. Therefore, from Lemma 1, we obtain that third-order 
interpolation is NP-complete problem. 

We first define 

f L — P(Axi . . . Xm'Cii^Xi, . . . , Xmfi • ■ • j Xx\ . . . Xm-Cm{,^l^ • • ■ 5 ^m)) 

\R = Rc 

Then it remains to prove that {L, Rq) has a solution if and only if {Lc, Rq) has 
a solution. 

Suppose (Lc,Rc) has a solution : 

fX =U 

then the term 

S = Xyi . . . Dm-U {yi{Vii , . . . , Vim) 5 ■ ■ ■ ; ■ j ^mm)) 

is a solution of {L,Rc). Indeed: 

5'(Axi . . . X'fYi.Ci (xi , . . . , Xyyi) , • ■ • , Axi . . . X^.Cyyi^Xi Xyyi)') W j3 

U{Ci{Viu • ■ • , ^im), . • . , , Vmm)) ^0 Rc 
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Conversely if (L, Rq) \Y := S'], then S = \yi . . . ym-S' and one can find terms 
of linear A-calculus U, Vn, . . . , Vim,- ■ ■ ,Vmi, ■ ■ ■ , Vmm such that: 

U (yi(Vdl, - ,Vim) , - • - , ym(Vml, • - • , Vmm)) ^/3 ^ 

and then 

fX =U 

is obviously a solution of {Lc,Rc)- □ 
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Abstract. XML documents, and other forms of semi-structured data, 
may be roughly described as edge labeled trees; it is therefore natural to 
use tree automata to reason on them. This idea has already been suc- 
cessfully applied in the context of Document Type Definition (DTD), the 
simplest standard for defining XML documents validity, but additional 
work is needed to take into account XML Schema, a more advanced stan- 
dard, for which regular tree automata are not satisfactory. In this paper, 
we define a tree logic that directly embeds XML Schema as a plain sub- 
set as well as a new class of automata for unranked trees, used to decide 
this logic, which is well-suited to the processing of XML documents and 
schemas. 



1 Introduction 

We describe a new class of tree automata, and a related logic on trees, with 
applications to the processing of XML documents and XML schemas. XML doc- 
uments, and other forms of semi-structured data [1], may be roughly described 
as edge labeled trees. It is therefore natural to use tree automata to reason 
on them and try to apply the classical connection between automata, logic and 
query languages. This approach has already been followed by various researchers, 
both from a practical and a theoretical point of view, and has given some no- 
table results, especially when dealing with Document Type Definition (DTD), 
the simplest standard for defining XML documents validity. A good example 
is the XDuce system of Pierce, Hosoya et al. [9], a typed functional language 
with extended pattern-matching operators for XML documents manipulation. 
In this tool, the types of XML documents are modeled by regular tree automata 
and the typing of pattern matching expressions is based on closure operations 
on automaton. Another example is given by the hedge automaton theory [11], 
an extension of regular tree automaton for unranked trees (that is, tree with 
nodes of unfixed and unbounded degrees). Hedge automata are at the basis of 
the implementation of RELAX-NG [6], an alternative proposal to XML Schema. 
Various extension of tree automata [2] and monadic tree logic have also been used 
to study the complexity of manipulating tree structured data but, contrary to 
our approach, these work are not directly concerned with schemas and are based 

* work partially supported by ATIP CNRS “Fondements de I’lnterrogation des 
Donnees Semi-Structurees” and by 1ST Global Computing Profundis. 



R. Nieuwenhuis (Ed.): RTA 2003, LNCS 2706, pp. 246-263, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 




XML Schema, Tree Logic and Sheaves Automata 247 



on ordered content models. More crucially, several mentions to automata theory 
appear in the XML specifications, principally to express restrictions on DTD 
and Schemas in order to obtain almost linear complexity for simple operations. 

Document type definitions are expressed in a language akin to regular expres- 
sions and specify the set of elements that may be present in a valid document, 
as well as constraining their order of occurrence. Nonetheless, the “document 
types” expressible by means of DTD are sometimes too rigid and, for example, 
a document may become invalid after permutation of some of its elements. A 
new standard, XML Schema, has been proposed to overcome some of the limita- 
tions of the DTD model. In particular, we can interpret XML schemata as terms 
built using both associative and associative-commutative (AC) operators with 
unbounded arity, a situation for which regular tree automata are not satisfactory. 
Indeed, while regular tree automata constitute a useful framework, it has some- 
times proved inadequate for practical purposes and many applications require 
the use of an extended model. To the best of our knowledge, no work so far has 
considered unranked trees with both associative and associative-commutative 
symbols, a situation found when dealing with XML Schemata. 

We propose a new class of tree automata, named sheaves automata, for deal- 
ing with XML documents and schema. We believe it is the first work on automata 
theory applied to XML that consider the &-operator. By restricting our study to 
deterministic automata, we obtain a class of recognizable languages that enjoys 
good closure properties and we define a related modal logic for documents that 
is decidable and exactly matches the recognizable languages. A leading goal in 
the design of our logic is to include a simplified version of XML Schema as a 
plain subset. 

The content of this paper is as follows. We start by defining the syntax of 
XML documents and XML schema. A distinctive aspect of our simplified schema 
language is to include the operator &. In Sect. 4, we present a tree logic intended 
for querying XML documents. This logic can be interpreted as a direct extension 
of the schema language with logical operators. The logic deliberately resembles 
(and extends on some points) TQL, a query language for semi-structured data 
based on the ambient logic [5,4]. We present a similar logic, with the difference 
that we deal both with ordered and unordered data structures, while TQL only 
deals with multisets of elements. Another difference with TQL lies in the addi- 
tion of arithmetical constraints. In this extended logic, it becomes for instance 
possible to express constraints on the number of occurrences of an element, such 
as “there are more fields labeled a than labeled b” or “there is an even num- 
ber of fields labeled a.” While the addition of counting constraints is purely 
motivated by the presence of &, it incidentally provides a model for cardinality 
constraint on repetitions, e{m,n}, that matches k repetitions of the expression 
e, with m ^ k ^ n. 

In Sect. 5, we introduce a new class of automata for unranked trees, called 
Sheaves Automata (SA), that is used to decide our extended tree logic. In the 
transition relation of SA, we combine the general rules for regular tree automata 
with regular word expression and counting constraints. In this framework, regu- 
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lar word expressions allow us to express constraints on sequences of elements and 
are used when dealing with sequential composition of documents, as in the hedge 
automata approach. Correspondingly, the counting constraints are used with the 
^-operator. The counting constraints are Presburger arithmetic formulas on the 
number of occurrences of each different type of elements. Intuitively, counting 
constraints appear as the counterpart of regular expressions in the presence of 
a commutative composition operator. Indeed, when the order of the elements 
becomes irrelevant, that is, when we deal with bags instead of sequences, the 
only pertinent constraints are numerical. 

The choice of Presburger arithmetic is not exclusively motivated by the fact 
that it is a large class of constraints over natural numbers, which increases the 
expressiveness of our logic while still remaining decidable. Indeed, we prove that 
Presburger constraints arises naturally when we consider schemas that combine 
interleaving, &, and recursive definitions (see Sect. 3). Another reason is that 
this extension preserves many enjoyable properties of regular tree automata: the 
class of languages recognized by sheaves automata is closed under union and 
intersection, testing for emptiness is decidable, ..., while adding some new ones, 
like the fact that recognizable languages are closed by composition of sequential 
and commutative operators. Even so, the gain in expressiveness is significant as 
such. Indeed, Muscholl, Schwentick and Seidl have very recently proposed a new 
and independent class of automaton very close to our model for the sole purpose 
of making numerical queries on XML documents [12]. 

Before concluding, we give some results on the complexity of basic problems 
for schemas. By design, every formula of our extended tree logic directly relates 
to a deterministic sheaves automaton. As a consequence, we obtain the decid- 
ability of the model- checking problem for SL, that is finding the answers to a 
query, and of the satisfiability problems, that is finding if a query is trivially 
empty. Moreover, since schemas are directly embedded in the models of SL, we 
can relate a XML schema to an accepting sheaves automaton obtaining the de- 
cidability of all basic problems: typing a document by a schema, computing the 
set of documents typed by a schema, computing the set of documents typed by 
the difference of two schemas ... In proving these results, we also make clear 
how simple syntactical restrictions on schemas improve the complexity of simple 
operations. 

Omitted proofs may be found in a long version of this paper [8] . 



2 Documents and Schemata 

XML documents are a simple textual representation for unranked, edge labeled 
trees. In this report, we follow the notations found in the XDuce system [9] and 
choose a simplified version of XML documents by leaving aside attributes among 
other details. Most of the simplifications and notation conventions taken here 
are also found in the presentation of MSL [3] , an attempt to formalize some of 
the core ideas found in XML Schema. 

Adocument, d, is an ordered sequence of elements, ai[c?i]-. . .•a„[(i„], where at 
is a tag name and di is a sub-document. A document may also be empty, denoted 
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e, or be a constant. We consider given sets of atomic data constant partitioned 
into primitive data types, like String or Integer for instance. Documents may 
be concatenated, denoted di • (I 2 , and this composition operation is associative 
with identity element e. 



Elements and Documents 



e ::= 


1 

element or constant 


a[d\ 


element labeled a, containing d 


cst 


constant (any type) 


d :;= 


document 


e 


empty document 


e 


element 


di • d2 


document composition 

1 


Example 1. A typical entry of a bibliographical database could be the document: 


hook[auth['' KmxtE" ] • 


titled’ Art of Computer Programming” ] • j/ear[1970]] 


A schema may be interpreted as the type of a document. Our definition 
mostly follows the presentation made in MSL [3]. Nonetheless, we bring some 
simplifications and modifications to better fit our objective. In particular, we 
consider three separate syntactical categories: E for element schema definitions, 
S for (regular) schemata, and T for schemata that may only appear at top level 


of an element definition. 




Schemas 




1 

E 


1 

Element schema 


a[T] 


element with tag a and interior matching T 


a[T]7 


optional element 


Datatype 


datatype constant 


S ::= 


Regular schema 


e 


empty schema 


E 


element 


Sl-S2 


sequential composition 


S + S 


choice 


S* 


indefinite repetition 


T :: = 


Top-level schema 


AnyT 


any type (match everything) 


S 


regular schema 


El & ... & 

1 


interleaving composition 

1 



A schema is basically a regular expression that constrains the order and 
number of occurrences of elements in a document. An element, a[T], describes 
documents that contain a single top element tagged with a and enclosing a sub- 
document satisfying the schema T. An optional element, a\T]l, matches one or 
zero occurrence of a\T\. The constructors for schemata include the standard op- 
erators found in regular expression languages, where S ■ S' stands for concatena- 
tion and S + S' for choice. For simplicity reasons, we have chosen both iteration, 
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S*, and option, a[T]?, instead of the repetition operator S{m,n} found in the 
Schema recommendation. The most original operator is the interleaving oper- 
ator, El & ... & En, which describes documents containing (exactly) elements 
matching E\ to En regardless of their order. Our simplified Schema definition 
also contains a constant, AnyT, which stands for the most general type or Any 
Type in XML Schema terminology. 

Example 2. Assuming that String and Year are the types associated to string 
and date constants, the following schema matches the book entry given in Ex- 
ample 1: [String] & awt/i[String] & year\^ea.r]l). 

The distinction of a top-level schema allows us to express some of the con- 
straints on the interleaving operator found in the XML specification. For exam- 
ple, & must appear as the sole child at the top of an element schema, that is, 
terms like E\ ■ {E 2 & E 3 ) or {Ei & E 2 )* are ill-formed. 

To capture some situations arising in practice, we may enrich schemata by 
recursive definitions presented by a system of equations. This can be simply 
obtained by enriching the syntax with variables, X,Y , . . and an operator for 
recursive schema definition, {S where Xi = Si, . . . , A„ = S'„), where the Xi’s 
are bound variable names. 

Example 3. We may extend book entries with a ref element listing the entries 
cited in the book: 

Book where Book = book[auth[String\ & tztZe [String] & Eef], 

TZef = ref [Book*]! 

Next, we make explicit the role of schemas as a type system for documents 
and define the relation d : S, meaning that the document d satisfies the schema 
S. This relation is based on an auxiliary function, inter (d), which computes 
the interleaving of the elements in d, that is the set of documents obtain- 
able from d after permutation of its elements: inter{ei ■ ... ■ e„) = {eo-(i) • • 

eo-(n) I permutation of l..n}. 

In the long version of this paper [8], we define a more complex relation, 
Xi : Si, ... , Xn : Sn ^ d : S , to type documents using recursive schemas. 



Good Documents 



1 

d : T 


d : T 


cst € Datatype 


1 

d\ Si d 2 S2 


a[d] : a[T] 


a[d\ : a[T]? 


e : a[T ]7 cst : Datatype 


e : e d\ ■ d2 : Si ■ S2 


d : S 


d : S' 


d\ . • • • 5 • S 


d € inter{ei ■ . . . ■ Cn) 
ei : El ... Cn : En 
d : El lie . . . En 

1 


d-.S + S' 

1 


d-.S-t S' 


di ■ . . . ■ d„ : S* d : AnyT 



In the next section, we introduce some basic mathematical tools that will be 
useful in the definition of both our tree logic and our new class of tree automata. 
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3 Basic Results on Presburger Arithmetic and Words 

Some computational aspects of our tree automaton rely on arithmetical prop- 
erties over the group (N, -I-) of natural numbers with addition. The first-order 
theory of equality on this structure, also known as Presburger arithmetic, is de- 
cidable. Formulas of Presburger arithmetic, also called Presburger constraint, are 
given by the following grammar. We use N, M , ... to range over integer variables 
and n,m, . . . to range over integer values. 



Presburger Constraint 



1 

Exp = 


1 

Integer expression 


n 


positive integer constant 


N 


positive integer variable 


Expi + Exp 2 


addition 




Presburger constraint 


(Aa:pi = EXP2) 


test for equality 


-.0 


negation 


4>y 'ip 


disjunction 


3A.0 


existential quantification 

1 



Presburger constraints allow us to define flexible, yet decidable, properties 
over positive integers like for example: the value of X is strictly greater than 
the value of Y , using the formula 3Z.{X = P -I- 1); or X is an odd number, 
3Z.{X = Z + Z + 1). We denote <t>{Xi , . . . , Xp) a Presburger formula with free 
integer variables Xi, . . . , Xp and we shall simply write ^ , rip) when 

4>{ni , . . . , Up) is satisfied. 

Decidability of Presburger arithmetic may be proved using a connection 
with semilinear sets of natural numbers. A linear set of N", L{b,P), is a set 
of vectors generated by linear combination of the periods P = {pi, . . . ,pk} 
(where pi G N” for all i G l..fc), with the base b G N”, that is, L{b,P) =def 
{6-1- k ^iPi I Ai, . . . , Afc G N}. A semilinear set is a finite union of linear 

sets and the models of Presburger formulas (with p free variables) are semilinear 
sets of N^. An important result is that semilinear sets are closed under union, 
sum and iteration, where: L+M = {x + y \ x G L,y G M}, and L" = L + . . , + L 
(n times) and L* = IJ„>q A”. In the case of iteration, the semilinear set L* may 
be a union of exponentially many linear sets (in the number of linear sets in L) . 



3.1 Parikh Mapping 

Another mathematical tool needed in the presentation of our new class of au- 
tomaton is the notion of Parikh mapping. Given some finite alphabet S = 
{oi, . . . ,a„}, that we consider totally ordered, the Parikh mapping of a word 
w of X* is a n-uple of natural numbers, #{w) = (mi, . . . , m„), where mi is the 
number of occurrences of the letter in w. We shall use the notation #a{w) for 
the number of occurrences of a in w, or simply # a when there is no ambiguity. 
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The Parikh mapping of a set of words is the set of Parikh mappings of its 
elements. When the set of words is a regular language, the Parikh mapping can 
be easily computed and it corresponds to the model of a Presburger formula. 
Furthermore, when the regular language is described by a regular expression, reg, 
we can compute the Parikh mapping in time 0 {\reg\) (using regular expressions 
of semilinear sets). For example, if is the letter in E, then #(0^) is the 
linear set L{ui, 0), where Ui is the unit vector of N", and the mapping of a 
sequential composition expression, regi ■ reg2, is the linear set #{regi) + #(reg2)- 

Proposition 1. The Parikh mapping of a regular language is a semilinear set. 

This property is useful when we consider the intersection of a regular word 
language with a set of words whose Parikh mapping satisfies a given Presburger 
constraint. This is the case in Sect. 4, for example, when we test the emptiness 
of the language accepted by a Sheaves automaton. 

3.2 Relation with XML Schema 

We clarify the relation between Presburger constraint, Parikh’s mapping and 
the semantics of the interleaving operator and try to give an intuition on how 
the ^-operator may add “counting capabilities” to schemas. 

Let Oi, . . . , Op be distinct element tags and d be a “flat document”, i.e. of the 
form [e] • . . [e], then #(.) provides a straightforward mapping from d to 

Suppose now that we slightly relax the syntactic constraints on schemas in order 
to accept expressions of the form {{Ei & • • • & En) + E) and {Ei &•••&£„& X). 
Then, for any Presburger constraint, </>, it is possible to define an (extended 
recursive) schema that matches the vectors of integers satisfying <j). For example, 
the schema X where X = ((oi & 02 & X)+e) is associated to the formula # Oi = 
#02 (there are as many oi’s than 02’s) and X where X = ((oi & oi & X) + e) 
is associated to 3 N. #oi = N + N (there is an even number of oi’s). 

Proposition 2. For every Presburger formula (j>, there is a schema, S, such 
that d : S iff \= (f>#{d). 

We conjecture that this ability to count is exactly circumscribed to Pres- 
burger arithmetic, that is, for every schema denoting a set of natural numbers, 
there is a Presburger formula denoting the same set. 

In the next section, we introduce a modal logic for documents that directly 
embeds counting constraint. Indeed, Proposition 2 indicates that it is necessary 
to take into account Presburger constraints when dealing with the ^-operator. 
Moreover, aside from the fact that counting constraints add expressiveness to our 
logic, another reason for adding Presburger formulas is that we extend the set of 
recognizable trees while still preserving good (and decidable) closure properties. 

4 The Sheaves Logic 

We extend our simplified version of XML Schema with a set of logical operators 
and relax some of its syntactical constraints in order to define a modal logic 
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for documents, the Sheaves Logic (SL). The sheaves logic is a logic in the spirit 
of the Tree Query Logic (TQL) of Cardelli and Ghelli [4], a modal logic for 
unranked, edge-labeled trees that has recently been proposed as the basis of a 
query language for semi-structured data. A main difference between TQL and 
SL is that the latter may express properties on both ordered and unordered sets 
of trees. In contrast, our logic lacks some of the operators found in TQL like 
recursion or quantification over tag names, which could be added at the cost of 
some extra complexity. 

The formulas of SL ranged over by A, B, . . . are given by the following gram- 
mar. The formulas are partitioned into three syntactical categories: (1) elements 
formula, E, to express properties of a single element in a document; (2) regular 
formulas, S, corresponding to regular expressions on sequences of elements; (3) 
counting formulas, T, to express counting constraints on bags of elements, that 
is in the situation where the order of the elements is irrelevant. 



Logical Formulas 

I 

E ::= 
a[S] 
a[T] 

AnyE 
Datatype 
S ::= 
e 

E 

S- S' 

S* 

svs 

—<s 

T 

3AT : 0(JV) : NiEi & ... & NpEj, 

TVT 

-nT 

A,B,... S I T I AVA I -nA 



1 

Element 

element with tag a and regular formula S 
element with tag a and counting formula T 
any element 
datatype constant 
Regular formula 
empty 
element 

sequential composition 
indefinite repetition 
choice 
negation 

Counting formula 

generalized interleaving, N = (Ai, . . . , Np) 

choice 

negation 

Sheaves Logic Formula 

I 



Aside from the usual propositional logic operators, our main addition to the 
logic is the “Any Element” constant, AnyE, and a constrained form of existential 
quantification, 3N : 4>{N) : N\Ei & ... & NpEp, that matches documents made 
of ni + ... + Up elements, with rii elements matching Ei, ..., np elements match- 
ing Ep (regardless of their order), such that (rii, ...,np) satisfies the Presburger 
formula (f). 

The generalized interleaving operator is inspired by the relation between 
schema and counting constraint given in Sect. 2. This operator is useful to express 
more liberal properties on documents than with Schemas. For example, it is now 
possible to define the type (an example of ill- formed schemas) E\* & E 2 , of 
documents made only of elements matching E\ but one matching E 2 , using the 
formula 3N\,N2 '■ {N\ ^ 0) A(A 2 = 1) : N\Ei & A 2 A 2 . The AnyE formula 
matches documents made of a single element. It has been chosen instead of the 
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less general schema AnyT since it could be used in a constrained existential 
quantification. It is possible to model AnyT using the formulas 3N : {N ^ 0) : 
N AnyE and AnyE*. 



Satisfaction Relation. We define the relation d \= A, meaning that the doc- 
ument d satisfies the formula A. This relation is defined inductively on the def- 



inition of A, 
following, we 

Satisfaction 


and the rules shared for regular and counting formulas. In the 
use the symbol T to stand for formulas of sort S, T or A. 


d 1= a[^] 


iff 


(d = a[d']) A (d' ^ E) 


d \= AnyE 


iff 


(d = ffl[d']) 


d 1= Datatype 


iff 


(d = cst) A (cst G Datatype) 


d\= t 


iff 


d = e 


d = S • S' 


iff 


{d = di- d2) A (di 1= S) A (d2 1= S') 


d = S* 


iff 


(d = e) V 

((d = di • . . . • dp) A (Vi G l..p, di |= S)) 


d 1= 3AT : : NiEi & ... & NpEp iff 


3ni, . . . , Up, 3(e()jel,.ni , • • • , (Cp)jGl..np 

el\= Ei A = . . . ,Up) A 

d G inter {e\ ■ ■ Cp’’) 


d 1= E\JE' 


iff 


(d 1= E) V (d)= T') 


d = 


iff 


not (d 1= <E) 



I I 



Example of Formulas. We start by defining some syntactic sugar. The formula 
True will be used for tautologies, that is formulas satisfied by all documents (like 
Tv -'T for instance). We also define the notation Ti & . . . & Ep, for the formula 
satisfied by documents made of a sequence of p elements matching Ei, . . . , Ep, 
regardless of their order. 

(Ti & . . . & Ep) =def 3fVi, ..., Np : {Ni = ... = Np = 1) : NiEi & ... & NpEp 

Likewise, we define the notation (a[5'] & • • • ) for the formula satisfied by docu- 
ments containing at least one element matching a [S']: 

(a[S] & • • • ) =def 3M, N :{M =1) A{N ^ 0) : Ma[S] & NAnyE 



For a more complex example, let us assume that a book reference is given 
by the schema in Example 2. The references may have been collected in several 
databases and we cannot be sure of the order of the fields. The following formula 
matches collections of books that contain at least 50 entries written by Knuth 
or Lamport. 



3N,M,X -.{N + M = 50 + X) 



f A^&oofc[(oMt/i[”Knuth”] &•••)] 
M&oofc[(aMt/i[”Lamport”j &•••)] 



Next, we define a new class of tree automata that will be used to decide SL, 
in the sense that the set of documents matched by a formula will correspond to 
the set of terms accepted by an automaton. 
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5 A New Class of Tree Automata 

We define a class of automata specifically designed to operate on XML schemata. 
A main distinction with other automata-theoretic approaches, like hedge au- 
tomata [11] for example, is that we do not focus on regular expressions over 
paths but, instead, concentrate on the &-operator, which is one of the chief ad- 
ditions of XML Schema with respect to DTD. The definitions presented here 
have been trimmed down for the sake of brevity. For example, in the complete 
version of our class of automaton, we consider rich sets of constraints between 
subtrees [10]. Moreover, the definition of SA can be extended to any signature 
involving free function symbols and an arbitrary number of associative and AC 
symbols, giving an elegant way to model XML attributes. 

A (bottom-up) sheaves automaton, A, is a triple (Qaj Qfin, Ji) where Qa is 
a finite set of states, {qi , . . . , Qp}, Qfin is a set of final states included in Qa, and 
i? is a set of transition rules. Transition rules are of three kinds: 

(1) c-)-q 

(2) a[q'] q 

(3) <P{Ni,...,Np)h Reg{QA)^q 

Type (1) and type (2) rules correspond to the transition rules found in regu- 
lar tree automata for constants (leave nodes) and unary function symbols. Type 
(3) rules, also termed constrained rules, are the only addition to the regular tree 
automata model and are used to compute on nodes built using the concate- 
nation operator (the only nodes with an unbounded arity). In type (3) rules, 
Reg{QA) is a regular expression on the alphabet {q \, . . . , qp} and </i(A^i, . . . , Np) 
is a Presburger arithmetic formula with free variables Ni, . . . , Np. Intuitively, 
the variable A denotes the number of occurrences of the state qi in a run of the 
automata. A type (3) rule may fire if we have a term of the form d\ - . . . ■ d„ such 
that: 

— each term di leads to a state qj^ G Qa', 

— the word qj^ ■ . . . ■ qj^ is in the language defined by Reg{QA)', 

— the formula (p#{qj.i ■ . . . ■ qj^) is satisfied, that is, ]= 4>{ni , . . . , Up), where 

is the number of occurrences of qi in qj.^ ■ ■ qj^ . 

To stress the connection between variables in the counting constraint 4> and 
the number of occurrences of qi matched by Reg{QA), we will use #qi instead 
of Ni as the name of integer variables. 

Example 4- An example of automaton on the signature {c, a[_], 6[_]} is given by 
the set of states Qa = {qa,qb,Qs}, the set of final states Qa^ = {<7s} and the 
following set of five transition rules: 

qs a[qs] qa {# qa = # qt) A(# ^ 0) h {qa + qt + Qs)* ^ Qs 

qs b[qs] -)> qb 

We show in Example 5, after defining the transition relation, that this particular 
automaton accepts terms with as many a’s than &’s at each node, like for example 
b[e] ■ a[c ■ 6[e] • c • a[e]]. 
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If we drop the Presburger arithmetic constraint and restrict to type (3) 
rules of the form True h Reg{QX) we get hedge automata [11]. Con- 

versely, if we drop the regular word expression and restrict to rules of the form 
<f){# gi, . . . , # < 7 p) h (gi -I- . . . -I- < 7 p)* — >• g, we get a class of automata which enjoys 
all the good properties of regular tree automata, that is closure under boolean 
operations, a determinisation algorithm, decidability of the test for emptiness, 
... When both counting and regular word constraints are needed, some of these 
properties are no longer valid (at least in the case of non-deterministic SA) . 



Transition Relation. The transition relation of an automaton A, denoted 
d — q, or simply — >■ when there is no ambiguity, is the transitive closure of the 
relation defined by the following three rules. 

Transition Relation: 

(type 3) 

(type 1) (type 2) ei ^ ... e„ ^ 

c ^ q € R d ^ q' n[q'] q £ R Qji ■ ■ ■ ■ ■ Qjn ^ N 4>tf={qji •••••?>„) 

c ^ q n[d] — >■ q 4’ b q & R (n ^ 2) 

ei • . . . • e„ ^ g 

I I 

The rule for constrained transitions (type (3) rules), can only be applied to 
sequences of length at least 2. Therefore it could not be applied to the empty 
sequence, e, or to sequence of only one element. It could be possible to extend the 
transition relation for type (3) rules to these two particular cases, but it would 
needlessly complicate our definitions and proofs without adding expressivity. 

Example 5. Let A be the automaton defined in Example 4 and d be the docu- 
ment a[c] ■ b[a[c] ■ &[c]]. A possible accepting run of the automaton is given below: 

d -)> a[c] ■ b[a[qs] ■ b[c\] -)> a[gs] ■ ^[afes] • b[c\] -)> a[qs] ■ b[a[qs] ■ b[qs]] 

-£■ qa ■ b[a[qs] ■ &[?«]] -)> qa ■ b[a[qs] ■ qt] qa ’ b[qa ■ qt] 

9o • b[qs] qa ‘ qt qs 

Transitions marked with a ^-symbol (transitions 7 and 9) use the only con- 
strained rule of A. It is easy to check that, in each case, the word used in the 
constraints is qa ■ qb, that this word belongs to (go + qt + qs)* and that it contains 
as many go’s than qt’s (its Parikh mapping is (1, 1,0)). 

Our example shows that SA can accept languages which are very different 
from regular tree languages, in fact closer to those accepted by context-free 
languages. In this example, we can recognize trees in which every sequences 
contains as many a’s than 6’s as top elements. Indeed, the constrained rule in 
Example 4 can be interpreted as: “the word gi • . . . • g„ belongs to the context- 
free language of words with as many qa ’s than qs ’s.” It is even possible to write 
constraints defining languages which are not even context-free, like q'f ■ q^ ■ g" 
(just take the Presburger constraint (#ga = #%) ^{itqb = #qc) in Example 4). 
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As it is usual with automata, we say that a document d is accepted by a 
sheaves automaton A if there is a final state q £ Qsn such that d — q. The 
language C{A) is the set of terms accepted by A. In the following, we will only 
consider complete automaton, such that every term reaches some state. This can 
be done without loss of generality since, for any SA, A, it is always possible to 
build an equivalent complete automaton, Ac [8]. 

Proposition 3. For any SA, A, we can construct a complete automaton, Ac, 
that accepts the language L{A) and it is deterministic if A is deterministic. 

Next, we enumerate of list of properties for our new class of automaton. 



Deterministic SA Are Less Powerful Than Non-deterministic SA. A 

sheaves automaton is deterministic if and only if a term reaches at most one state. 
Contrary to regular tree automata, the class of deterministic sheaves automata 
is strictly weaker than the class of sheaves automata. In order to preserve de- 
terminism as much as possible, we will choose constructions for basic operations 
on automata that are a little bit more complex than the usual ones. 

Proposition 4. There is a language accepted by a sheaves automaton that can 
not he accepted by any deterministic sheaves automaton. 

Proof. Using an improved “pumping lemma” [8], we prove that the language L, 
consisting of the terms ■b'^ ■ o'" • 5™, with n,m > 0, is not recognizable by a 
deterministic SA, although there is a non-deterministic SA accepting L. □ 



Product, Union and Intersection. Given two automata A = {Q,Qfin, R) 
and A' = {Q' R'), we can construct the product automaton, A x A', that 
will prove useful in the definition of the automata for union and intersection. 
The product Ax A' is the automaton A^ = {Q^ , 0, i?^) such that: 

— gx = g X Q' = {{qi,q{),...,{qp,q[)}, 

— for every type (1) rules a ^ q £ R and a ^ q' £ R', the rule a -£ {q, q') is 
in 

— for every type (2) rules n[q\ s £ R and n[q'] -£ s' £ R' , the rule n[{q, q')] -£ 
(s, s') is in R^, 

— for every type (3) rules (j) h Reg -£ q £ R and 0' h Reg' -£ q' £ R, the 
rule 0^ h Reg^ -£ {q,q') is in R^ , where Reg^ is the regular expression 
corresponding to the product Reg x Reg' (this expression can be obtained 
from the product of an automaton accepting Reg by an automaton accepting 
Reg'). The formula 0^ is the product of the formulas 0 and 0' obtained as 
follows. Let #{q,q') be the name of the variable associated to the numbers 
of occurrences of the state {q, q'), then: 

0"" =def 0(^ #{qi,q'),...^ #(gfp,(?')) A0'(^#(g,g'i),...^#(g,gO) 
9'eQ' g'6Q' 96Q <?6Q 
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Proposition 5. We have d — >■ {q, q') in the automaton A x A' , if and only if 
both d — q and d — q' . 

Given two automata, A and A', it is possible to obtain an automaton ac- 
cepting the language £(A) U £(A') and an automaton accepting £(A) fl £(A'). 
The intersection AC\A' and the union A^J A' may be simply obtained from the 
product Ay~ A' hy setting the set of final states to: 

Qfin =def |(g, g') I 9 G <5fi„ A g G 
Qin =def {(g, g') I 9 G <5fi„ V g G g'g„} 

The union automaton may also be obtained using a simpler construction: 
take the union of the states of A and A' (supposed disjoint) and modify type 
(3) rules accordingly. It is enough to simply add the new states to each type (3) 
rules together with an extra counting constraint stating that the corresponding 
coefficients must be nil. 

Proposition 6. The automaton AU A' accepts £{A)U£{ A') and AflA' accepts 
£{A)C\£{A') ■ Moreover, the union and intersection automaton are deterministic 
whenever both A and A' are deterministic. 



Complement. Given a deterministic automaton, A, we may obtain a deter- 
ministic automaton that recognizes the complement of the language £{A) sim- 
ply by exchanging final and non-final states. This property does not hold for 
non-deterministic automata. 

Proposition 7. Non-deterministic Sheaves languages are not closed under com- 
plementation. 

Proof. We prove in [8] that given a two-counter machine, there is a non-determi- 
nistic automaton accepting exactly the bad computations of the machine. Thus, 
if the complement of this language was also accepted by some automaton, we 
could easily derive an automaton accepting the (good) computations reaching a 
final state, hence decide if the two-counter machine halts. □ 

Membership. We consider the problem of checking whether a document, d, 
is accepted by a non-deterministic automaton A. We use the notation |d| for 
the number of elements occurring in d and [S'! for the number of elements in a 
set S. The size of an automaton, |.4|, is the number of symbols occurring in its 
definition. 

Assume there is a function Cost such that, for all constraints 4>, the evaluation 
of 4>{ni, . . . ,Hp) can be done in time 0{Cost{p,n)) whenever nt ^ n for all i in 
l..p. For quantifier-free Presburger formula (and if n is in binary notation) such a 
function is given by K.p. log(n), where K is the greatest coefficient occurring in </>. 
For arbitrary situations, that is for formulas involving any quantifiers alternation 
(which is very unlikely to occur in practice), the complexity is doubly exponential 
for a non-deterministic algorithm. 
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Proposition 8. For an automaton A = {Q, Qfin, R), the problem d G hl{A) can 
he decided in time 0(|(i| • |-R| • Cost{\Q\, |(i|)) for a deterministic automaton and 
in time 0(|fip • \Q\ ■ |i?| • Cost{\Q\, |(i|)))) for a non- deterministic automaton. 

Proof. The proof is standard in the case of deterministic automata. Otherwise, 
there are |d| • \Q\ possible labeling of the tree d by states of Q, and we check the 
applicability of each rules at each internal node. □ 



Test for Emptiness. We give an algorithm for deciding emptiness that com- 
bines a marking algorithm with a test to decide if the combination of a regular 
expression and a Presburger constraint is satisfiable. We start by defining an 
algorithm for checking when a word on a sub-alphabet satisfies both a given 
regular word expression and a given counting constraint. We consider a set of 
states, Q = {91, ... , qp), that is also the alphabet for a regular expression Reg 
and a Presburger formula </>(# gi, . . . , # The problem is to decide whether 
there is a word on the sub-alphabet Q' Q Q satisfying both Reg and (j). We start 
by computing the regular expression Reg^Q, that corresponds to the words on 
the alphabet Q' satisfying Reg. This expression can be easily obtained from Reg 
by a set of simple syntactical rewritings. Then we compute the Parikh mapping 
#(i?eg|Q/) as explained in Sect. 3 and test the satisfiability of the Presburger 
formula: 

(j){#qi,...,#qp) A /\(#gr = 0) A #{Reg^Q,) 
q^Q' 

When this formula is satisfiable, we say that the constraint (p h Reg restricted 
to Q' is satisfiable. This notion is useful in the definition of an updated version 
of a standard marking algorithm for regular tree automaton. The marking al- 
gorithm computes a set Qm C Q of states and returns a positive answer if and 
only if there is a final state reachable in the automaton. 



Algorithm 1. Test for Emptiness 



Qm = 0 

repeat 



until 



if 



then Qm 
then Qm 



if a ^ q G R 

if n[q'] q G R and q' G Qm 

h Reg q G R and the constraint 
h Reg restricted to Qm is satisfiable 
no new state can be added to Qm 
Qm contains a final state then return not empty 



if 



= Qm U {g} 
= Qm U {g} 



then Qm = Qm U {g} 



else return empty 



Proposition 9. A state q is marked by Algorithm 1, that is q G Qm, iff there 
exists a term t such that t ^ q. 

We may prove this claim using a reasoning similar to the one for regular tree 
automata. We can also establish a result on the complexity of this algorithm. 
Let Costjx denote the maximal time required to decide the satisfiability of the 
constraints occurring in the type (3) rules oi A= (Q, Qfin, R)- 
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? 

Proposition 10. The problem L{A) = % is decidable in time 0{\Q\-\R\-CostX). 

The bound can be improved for regular tree automata, yielding a linear 
complexity. We could also get a linear bound if we have an oracle that, for each 
set of states Q' C Q and each constraint, tells whether the constraint restricted 
to Q' is satisfiable. 

6 Results on the Tree Logic and on XML Schema 

We prove our main property linking sheaves automata and the sheaves logic and 
use this result to derive several important properties of the simplified schema 
language introduced in Sect. 2. 

Theorem 1 (Definability). For each formula \P of SL, we can construct a 
deterministic, complete, sheaves automaton accepting the models ofF. 

Proof. By structural induction on the definition of F. Without loss of generality, 
we may strengthen the proposition with the following additional conditions: (1) a 
state q occurring in the right-hand side of a constrained rule may not occur in the 
left-hand side of a constrained rule; (2) a state occurring in the right-hand side 
of an unconstrained rule may not occur in the right-hand side of a constrained 
rule; (3) Presburger constraint may only occur when the right-hand side is not 
a final state, i.e. constrained rules are of the form True h Reg{Q) — >■ q whenever 
<7 is a final state. We only consider the difficult cases. For the case F = TV T or 
-iiF', we simply use the fact that deterministic SA are closed under union and 
complement . 

F = a[T]. Let At be the automaton constructed for T. Let g be a final state 
and q' be a state occurring in a rule a[g] — >■ q' of At- The idea is to choose 
the states of the form q' as the set of final states. 

Let 5 be a final state occurring in a rule of the form a[g] — >■ q' . Whenever q' 
also occurs in a rule c — >■ g' or b[. ..]—>■ g' of At, we split q, q' in two states 
qa, qa' and qd, qd! such that qa' occurs only in rules a[< 7 o] — >■ qa! and that qd' 
is used for the other rules, say c — >■ qd' or b[. . .] — >■ qd' . This is done for all such 
states q, q' of A. The state-splitting is necessary to preserve determinism. The 
automaton At is obtained by choosing the states qa' (where q is final in At) 
as the set of final states. 

T = S*,SV S,S or S', S". In this case, F is a, regular expression on some al- 
phabet El,. . . , En where Ei are element formulas. By induction, there is a 
deterministic automaton A{ accepting the models of Ei for all i € l..p. Let 
A be the product automaton of the Afs. A state Q of A is of the form 
(qi,...,qp), with qi a state of At. Therefore Q may represent terms accepted 
by several Afs. We use the notation Q G fin(Ai) to say that the i*’^ compo- 
nent of Q is a final state of Ai. 

We consider the regular expression Regg, with alphabet the set of states of A, 
obtained by syntactically replacing Ei in <F with the expression |J{ 2 I 2 £ 
fin(Ai)}. The complement of Regg is denoted Regg. 
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For every state Q and rule <j) h Reg Q oi A, we split Q into two states, 
Qs and Qs, and the constrained rule into two rules (j) h Reg fl Regg — >■ Qs 
and (j) 1“ Reg H Regg — >■ Qg. To conclude, we choose the states of the form 
Qg (where Q is final in A) as the set of final states. This automaton is 
deterministic and complete and the property follows by showing that d (= iF 
if and only if d G C{A). 

'R = 37V : <j> : NiEi &€ . . . NpEp. By induction, there is a deterministic au- 
tomaton Ai accepting the models of Ei for all i G l..p. The construction 
is similar to a determinisation process. Let A be the product automaton of 
the Ai’s and let {Qi , ..., Qm} be the states of A. A state Q of A is of the 
form (gi, ..., 5 p), with qi a state of Ai, and it may therefore represent terms 
accepted by several Ai’s. We use the notation Q G fin(Ali) to say that the 
7*^ component of Q is a final state of Ai. 

The constrained rules of A are of the form . . . , Mm) b Reg -G Q, 

where Mi stands for the number of occurrences of the state Qi in a run. The 
idea is to define a Presburger formula, (j)^{Mi , . . . , Mm), satisfied by configu- 
rations Qjj • ... • Qj^ containing a number of final states of the Ai’s satisfying 
(j), and to augment all the type (3) rules with this counting constraint. To 
define (jA, we decompose Mi into a sum of integer variables, a;* for j G l..p, 
with X* corresponding to a number of final states of Aj occurring in Qi. 

=def 3{x))^ei^.m- /\ {Mi=Y^ x]) A ^ xl, ... , ^ x;) 

Qi&RniAj) Stefin(.4i) Qiefln(.4p) 

Finally, we split each constrained rule ip h Reg -A Q of A into the two rules 
Ip A(jA \- Reg -A Qt and ip A ~^(p^ h Reg -A Qt, splitting also the state Q into 
Qt and Qt. The automaton Aqr is obtained by choosing the states of the 
form Qg (where Q is final in A) as the set of final states. The automaton is 
deterministic and complete and the property follows by showing that d\=E 
if and only if <7 G L{AP). □ 

As a direct corollary of Theorem 1 and Propositions 8 and 10, we obtain 
key results on the decidability and on the complexity of the sheaves logic. Let 
\Q{Ait)\ be the number of states of the SA associated to E. 

Theorem 2 (Decidability). The logic SL is decidable. 

Theorem 3 (Model Checking). For any document, d, and formula, F, the 
problem d\= ip is decidable in time 0(|d| • |A^| • Cost{\Q{A,p)\, |c?|)|. 

Since the schema language is a plain subset of our tree logic, we can directly 
transfer these results to schemas and decide the relation d : S using sheaves 
automata. 

Proposition 11. For every schema, S, there is a deterministic SA, A, such 
that L{A) = {(i I d \ S'}, and for every recursive schema, S, there is a SA such 
that L{A) = {(i I d : S}. 
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Proof. Similar to the proof of Theorem 1. In the case of recursive schemas, we 
need to introduce a special state qx for each definition X = T in S. Then we 
construct the automata corresponding to T and replace qx in As by any final 
state of At- □ 

Combined with our previous results, we obtain several decidability properties 
on schemas, as well as automat a-based decision procedures. We can, for exam- 
ple, easily define the intersection and difference of two schemas (that are not 
necessarily well- formed schemas). 

Theorem 4 (XML Typing). Given a document, d, and a schema, S, the 
problem d : S is decidable. 



Theorem 5 (Satisfaction). Given a schema S, the problem 3d-d ■. S is de- 
cidable. 

7 Conclusion 

Our contribution is a new class of automaton for unranked trees aiming at the 
manipulation of XML schemas. We believe it is the first work on applying tree 
automata theory to XML that considers the ^-operator. This addition is signifi- 
cant in that interleaving is the source of many complications, essentially because 
it involves the combination of ordered and unordered data models. This led us to 
extend hedge automata [11] with counting constraints as a way to express prop- 
erties on both sequences and multisets of elements. This extension appears quite 
natural since, when no counting constraints occurs, we obtain hedge automata 
and, when no constraints occur, we obtain regular tree automata. 

The interleaving operator has been the subject of many controversial debates 
among the XML community, mainly because a similar operator was responsible 
for difficult implementation problems in SGML. Our work gives some justifica- 
tions for these difficulties, like the undecidability of computing the complement 
of non-deterministic languages. To elude this problem, and in order to limit 
ourselves to deterministic automata, we have introduced two separate sorts for 
regular and counting formulas in our logic. It is interesting to observe that a 
stronger restriction appears in the schema specification, namely that & may 
only appears at top-level position in an element definition. 

Another source of problems is related to the size and complexity of counting 
constraints. While the complexity of many operations on Presburger arithmetic 
is hyper-exponential (in the worst case), the constraints observed in practice 
are very simple and it seems possible to neglect the complexity of constraints 
solving in realistic circumstances. As a matter of fact, some simple syntactical 
restrictions on schemas yield simple Presburger formulas. For example, we may 
obtain polynomial complexity by imposing that each element tag in an expression 
& ... & be distinct, a restriction that also appears in the schema 

specification. 
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The goal of this work is not to devise a new schema or pattern language for 
XML, but rather to find an implementation framework compatible with schemas. 
An advantage of using tree automata theory for this task is that it also gives us 
complexity results on problems related to XML schema (and to possible exten- 
sions of schemas with logical operators). As indicated by our previous remarks, 
we may also hope to use our approach to define improved restrictions on schema 
and to give a better intuition on their impact. Another advantage of using tree 
automata is that it suggests multiple directions for improvements. Like for in- 
stance to add the capacity for the reverse traversal of a document or to extend 
our logic with some kind of path expression modality. These two extensions 
are quite orthogonal to what is already present in our logic and they could be 
added using some form of backtracking, like a parallel or alternating [7] variant 
of our tree automata, or by considering tree grammars (that is, equivalently, 
top-down tree automata). The same extension is needed if we want to process 
tree-structured data in a streamed way, a situation for which bottom-up tree 
automata are not well-suited. 
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Abstract. In [13], a new size-change principle was proposed to verify 
termination of functional programs automatically. We extend this princi- 
ple in order to prove termination and innermost termination of arbitrary 
term rewrite systems (TRSs). Moreover, we compare this approach with 
existing techniques for termination analysis of TRSs (such as recursive 
path orderings or dependency pairs). It turns out that the size-change 
principle on its own fails for many examples that can be handled by stan- 
dard techniques for rewriting, but there are also TRSs where it succeeds 
whereas existing rewriting techniques fail. In order to benefit from their 
respective advantages, we show how to combine the size-change princi- 
ple with classical orderings and with dependency pairs. In this way, we 
obtain a new approach for automated termination proofs of TRSs which 
is more powerful than previous approaches. 



1 Introduction 

The size-change principle [13] is a new technique for automated termination 
analysis of functional programs, which raised great interest in the functional 
programming and automated reasoning community. However, up to now the con- 
nection between this principle and existing approaches for termination proofs of 
term rewriting was unclear. After introducing the size-change principle in Sect. 2, 
we show how to use it for (innermost) termination proofs of arbitrary TRSs in 
Sect. 3. This also illustrates how to combine the size-change principle with exist- 
ing orderings from term rewriting. In Sect. 4 and 5 we compare the size-change 
principle with classical simplification orderings and with the dependency pair 
approach [1] for termination of TRSs. Finally, to combine their advantages, we 
developed a technique which integrates the size-change principle and dependency 
pairs. The combined technique was implemented in the system AProVE resulting 
in a very efficient and powerful automated method (details can be found in [14]). 

2 The Size-Change Principle 

We assume familiarity with term rewriting [3] . For a TRS TZ over a signature IF, 
the defined symbols V are the root symbols of the left-hand sides of rules and the 
constructors are C = T\T>. We restrict ourselves to finite signatures and TRSs. 
7?. is a constructor system if the left-hand sides of its rules have the form /(si, . . . , 
Sn) where Sj are constructor terms (i.e., Si € T(C, V)). For a signature IF, the 
embedding rules Emby^ are {/(xi, . . . , Xn) Xi \ f G lF,n = arity(/), 1 < i < n}. 
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In [13], the size-change principle was formulated for a functional program- 
ming language with eager evaluation strategy and without pattern matching. 
Such functional programs are easily transformed into TRSs which are orthogo- 
nal constructor systems whose ground normal forms only contain constructors 
(i.e., all functions are “completely” defined). In this section we present an exten- 
sion of the original size-change principle which can be used for arbitrary TRSs. 

We call (^, a reduction pair [11] on T{T,V) if ^ is a quasi-ordering and 
is a well-founded ordering where ^ and are closed under substitutions and 
compatible (i.e., ^o)^C:^or:^o^C:^, but C ^ is not required). In 
general, neither ^ nor must be closed under contexts. The reduction pair is 
monotonic if ^ is closed under contexts. In Sect. 3 we examine which additional 
conditions must be imposed on (^, )^) in order to use the size-change principle 
for (innermost) termination proofs of TRSs. Size-change graphs denote how the 
size of function parameters changes when going from one function call to another. 

Definition 1 (Size-Change Graph). Let (^, )^) be a reduction pair. For every 
rule /(si, . . . , Sn) r of a TRS TZ and every subterm g{ti , . . . , tm) of r where 
g € V, we define a size-change graph. The graph has n output nodes marked 
with {ly, . . . ,Uf} and m input nodes marked with {1^, . . . ,mg}. If Si >- tj, then 
there is a directed edge marked with from output node if to input node 
jg. Otherwise, if Si ^ tj, then there is an edge marked with from if to 
jg. If f and g are clear from the context, then we often omit the subscripts 
from the nodes. So a size-change graph is a bipartite graph G = (V, W, E) where 
V = {lf,... ,nf} and W = {Ig, . . . ,mg} are the labels of the output and input 
nodes, respectively, and we have edges E QV y. W y. 

Example 2. Let TZ consist of the following rules. 

f(s(a;),j/) f(x,s(a:)) (1) f(a;,s(y)) f(j/,a;) (2) 

TZ has two size-change graphs and G^2) resulting from (1) and (2). Here, we 
use the embedding ordering on constructors C, i.e., (^, )^) = {-^*Embc^^~Embc^- 
*^(1) • If — ^ If *^(2) • If )_ If 

\ X 

2f 2f 2f 2f 

To trace sizes of parameters along subsequent function calls, size-change graphs 
{Vi,Wi,Ei) and {V 2 ,W 2 ,E 2 ) can be concatenated to multigraphs if Wi = 
V 2 , i.e., if they correspond to arguments {Ig, . . . , nig} of the same function g. 
Definition 3 (Multigraph and Concatenation). Every size-change graph 
of TZ is a multigraph of TZ and if G = ({!/,..., n/}, {Ig, ..., rUg}, i?i) and 
H = {{Ig, . . . ,mg}, {Ih, . ■ . ,Ph}, E 2 ) are multigraphs w.r.t. the same reduction 
pair (^,)^), then the concatenation G'H = {{lf,...,nf},{lh,...,Ph},E) is 
also a multigraph of TZ. For 1 <i <n and I < k < P, E contains an edge from 
if to kh iff El contains an edge from if to some jg and E 2 contains an edge from 
jg to kh. If there is such a jg where the edge of Ei or E 2 is labelled with 'V”, 
then the edge in E is labelled with as well. Otherwise, it is labelled with 

“fz”- X multigraph G is called maximal if its input and output nodes are both 
labelled with {If,. .. ,Uf} for some f and if it is idempotent, i.e., G = G' G. 
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Example 4- In Ex. 2 we obtain the following three maximal multigraphs: 

G(l) • G(2) : If ^ If G(2) • G(i) : If If G(2) * G(2) : If ^ If 

\ / 

2f 2f 2f 2f 2f — ^ 2f 

For termination, in every maximal multigraph a parameter must be decreasing.^ 

Definition 5 (Size-Change Termination). A TRS TZ over the signature T 
is size-change terminating w.r.t. a reduction pair (^,)^) on T{T,V) iff every 
maximal multigraph contains an edge of the form i ^ i. 

In Ex. 4, each maximal multigraph contains the edge If If or 2f ^ 2f. 
So the TRS is size-change terminating w.r.t. the embedding ordering. Note that 
classical path orderings from term rewriting fail on this example (see Sect. 4). 

Since there are only finitely many possible multigraphs, they can be construc- 
ted automatically. So for a given reduction pair, size-change termination is decid- 
able. However, in general size-change termination does not imply termination. 

Example 6. Consider the TRS with the rules f(a) — >■ f(b) and b — >■ a. If we use 
the lexicographic path ordering >~lpo [9] with the precedence a > b, then the 
only maximal multigraph is If If. So size-change termination is proved, 

although the TRS is obviously not terminating. 



3 Size-Change Termination and Termination of TRSs 

In this section we develop conditions on the reduction pair used in Def. 5 which 
ensure that size-change termination indeed implies (innermost) termination. 
Then the size-change principle can be combined with classical orderings from 
term rewriting and it becomes a sound termination criterion. 

In [13], the authors use reduction pairs (^, )^) where ^ is the reflexive closure 
of and is defined in terms of a well-founded relation > on (ground) normal 
forms of TZ. We now show that such reduction pairs can be used for innermost 
termination proofs of arbitrary TRSs. Moreover, ^ can be any compatible quasi- 
ordering. We denote innermost reduction steps by and s s' means that 
s' is a normal form reachable from s by innermost reduction. Thm. 7 will serve as 
the basis for the automation of the size-change principle in Thm. 8 afterwards. 
Theorem 7 (Size-Change Termination and Innermost Termination). 
Let > be a well-founded ordering on normal forms of a TRS TZ. For s,t € 
T{T,V) we define NF(s,t) = {(s',<')|scr s',ta -b]^ t',a instantiates all 
variables of s and t with normal forms of TZ}. Let (^, )^) be a reduction pair where 
s t implies s' > t' for all {s',t') € NF(s,t). Lf TZ is size-change terminating 
w.r.t. (^,)^), then TZ is innermost terminating. 



^ Def. 5 corresponds to an equivalent characterization of size-change termination [13]. 
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Proof. If TZ is not innermost terminating, then there is a minimal non-innermost 
terminating term vq, i.e., all proper subterms of vq are innermost terminating. 
Let -be denote root reductions and let -b>e denote reductions below the root. 
Then vq's infinite innermost reduction starts with vq -b^e ui -be wi where all 
proper subterms of ui are in normal form. Since wi is not innermost terminating, 
it has a minimal non-innermost terminating subterm vi . 

The infinite reduction continues in the same way. So for i > 1, we have 
Vi-i -b>e Ui = liOi and Vi = r[oi for a rule U — >■ r^, a subterm r' of with 
defined root, and a substitution Ui instantiating Ifs variables with normal forms. 

For each step from Ui to Vi there is a corresponding size-change graph Gi . We 
regard the infinite graph resulting from Gi, G 2 , . . . by identifying the input nodes 
of Gi with the output nodes of G^+i. If TZ is size-change terminating, by [13, Thm. 
4] resp. [14, Lemma 7], this infinite graph contains an infinite path where in- 
finitely many edges are labelled with Without loss of generality we assume 
that this path already starts in G\. For every i, let Oi be the output node in Gi 
which is on this path. So we have U\ai >- for all i from an infinite set I C 

IN and k\a^ ^ for i G 1N\/. Note that li\a^<7^ = Mijoi and r[\a^^^cri = uXi+i 

-b[^ Thus, (Ui|a,,'Uj+i|a,+ J G NF(/i | a, , r' [a^+i ) . So for I = {fl,Z 2 , • ■ •} 

we obtain [a^^ > [a^^ > ■ • ■ which contradicts well-foundedness of >. □ 

Innermost termination is interesting, since then there are no infinite reduc- 
tions w.r.t. eager evaluation strategies. Moreover, for non-overlapping TRSs, 
innermost termination already implies termination. However, Thm. 7 is not yet 
suitable for automation. To check whether satisfies the conditions of Thm. 7, 
one has to examine infinitely many instantiations of s and t and compute normal 
forms s' and t' although TZ is possibly not innermost terminating. Therefore, in 
the examples of [13], one is restricted to relations ^ and on constructor terms. 

Thm. 8 shows how to use reduction pairs on T(C, V) for possibly automated 
innermost termination proofs. A reduction pair (^,!^) on T{G,V) with Q f- T 
can be extended to a (usually non-monotonic) reduction pair (^', on T(lF, V) 
by defining s f if s = t or if there are u,v € T{G, V) with u'^v and s = ua, 
t = va for some substitution cr. Moreover, s )^' t iTl u v for u and v as above. 
Theorems (Innermost Termination Proofs). Let (^,)^) be a reduction 
pair on T(C,V). If TZ is size-change terminating w.r.t. the extension of the re- 
duction pair (^,)^) to T{TF,V), then TZ is innermost terminating. 

Proof. Let (^', )^') be the extension of (^, )^) to T{T, V). We show that s t 
implies s' t' for all {s' ,t') G NF(s,t). Then the theorem follows from Thm. 7. 

By the definition of extensions, s t iff s = ua, t = va, and u >- v ior 
suitable u, v, and cr. In particular, u and v must be constructor terms and we 
also have u >-' v (as a may also be the identity). Since NF(s,t) C {{ua,va) \ 
a instantiates u’s and v’s variables with normal forms}, the claim follows from 
u >-' V, because is closed under substitutions. □ 

For the TRS in Ex. 2, when using the extension of the reduction pair 
i~^Embc’ ~^Embc^ "r(C,V), we obtain the same size-change graphs as with 




268 Rene Thiemann and Jurgen Giesl 



(~^Embc’~^Embc^ ^ shows that this TRS is size-change termi- 

nating w.r.t. this reduction pair and hence, by Thm. 8, this proves innermost 
termination. However, a variant of Toyama’s example [15] shows that Thm. 7 
and Thm. 8 are not sufficient to prove full (non-innermost) termination. 
Example 9. Let TZ = {f(c(a, b, cc)) — >■ f{c{x,x,x)), g{x,y) — >■ x, g{x,y) — >■ y}. 
We define ^=—>-5 and restricted to T(C, V), where S is the terminating 

TRS c(a, b, x) — >■ c(x, x, x). The only maximal multigraph is If ^ If. So TZ is size- 
change terminating and innermost terminating by Thm. 8, but not terminating. 

As in Ex. 9, reduction pairs (—>-5,— ^5) satisfying the conditions of Thm. 8 
can be defined using a terminating TRS S over the signature C. The following 
theorem shows that if S is non-duplicating, then we may use the relation — >-5 
also on terms with defined symbols and size-change termination even implies 
full termination. A TRS is non-duplicating if every variable occurs on the right- 
hand side of a rule at most as often as on the corresponding left-hand side. So 
size-change termination of the TRS in Ex. 2 and Ex. 4 using the reduction pair 
(~^Embc’^Embc'^ implies that the TRS is indeed terminating. 

To prove the theorem, we need a preliminary lemma which states that min- 
imal non-terminating terms w.r.t. 77. U 5 cannot start with constructors of 77. 
Again, here S must be non-duplicating. Otherwise, in Ex. 9, c(a, b, g(a, b)) is a 
minimal non-terminating term w.r.t. 77 U 5 that starts with a constructor of 77. 

Lemma 10. Let TZ he a TRS over the signature T with constructors C and let S 
be a terminating non-duplicating TRS over C. If ti, . . . ,t„ € T{T, V) are termi- 
nating w.r.t. 77U5 and c€ C, then c{ti, . . . ,tn) is also terminating w.r.t. 77U5. 

Proof. For any term s G T{T,V), let Mg be the multiset of the maximal sub- 
terms of s whose root is defined, i.e.. Mg = {sItt | root(s|,r) G T> and for all 
7 t' above tt we have root(s|.n.') G C}. Moreover, let s' be the term that results 
from s by replacing all maximal subterms with defined root by the same fresh 
special variable xc. Let -^nus be the extension of -^nus to multisets where 
M —»TzuS M' iff M = A U {s} and M' = N \J {t\, . . . , 7„} with n > 0 and with 
s -^-RuS ti for all i. We prove the following conjecture. 

Let s G T{T, V) such that all terms in Mg are terminating w.r.t. 77 U 5 

and let s — >-7?,u5 t. Then all terms in Mt are also terminating w.r.t. 77U5. (3) 

Moreover, Mg or both Mg = Mt and s' -Gs t'. 

Note that ^ruS is well founded on multisets like Mg which only contain termi- 
nating terms. Termination of S implies that —>-5 is also well founded and the lexi- 
cographic combination of two well-founded orderings preserves well-foundedness. 
Hence, (3) implies that if all terms in Mg are terminating, then s is terminating 
as well. So the lemma immediately follows from Conjecture (3). 

To prove (3), we distinguish according to the position tt where the reduction 
s -^RuS t takes place. If s has a defined symbol of T> on or above position tt , then 
this implies Mg ^rus Mt and all terms in Mt are also terminating. Otherwise, 
if 7T is above all symbols of T> in s, then s -Gr\js t implies s — >-5 t and Mg O Mt 

(since S is non-duplicating). Moreover, s -Gs t also implies s' -^s t' . □ 
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Theorem 11 (Termination Proofs). Let TZ be a TRS over the signature T 
with constructors C and letS he a terminating non- duplicating TRS overC. If TZ 
is size-change terminating w.r.t. the reduction pair (—>-5,— >-5) on T(iF, V), then 
TZ ( and even TZ\J S) is terminating. 

Proof. We define TZ' := TZU S. If TZ' is not terminating, then as in the proof of 
Thm. 7 we obtain an infinite sequence of minimal non-terminating terms Ui,Vi 
with Vi — 7^/ Ui+i where the step from Ui to Vi corresponds to a size-change 
graph of TZ' . Thus, for all i there is a rule U — >■ ri in TZ' with Ui = kat and 
Vi = r'^cfi for a subterm r' of and a substitution <77. 

By Lemma 10, the roots of Ui and Vi are defined symbols. So all these size- 
change graphs are from TZ. As in Thm. 7’s proof, there are Oi with li\ai ''’iloi+i 
for all i from an infinite / C IN and h\ai T'i\ai+i for i G IN \ /. Since — >-5 
is closed under substitution we have Ui\ai or Ui\ai r’iUi+i, respec- 
tively. Recall Ui+i\ai+i and S C TZ' . So for I = {ii,i 2 , ■ • .} we have 

MiJaij ■ ■ ■ contradicting the minimality of the terms Ui. □ 

Thm. 8 and 11 offer two possibilities for automating the size-change principle. 
Even for innermost termination, they do not subsume each other. Ex. 9 cannot be 
handled by Thm. 11 and innermost termination of {g(f (a)) ^ g(f (b)), f(a:) — >■ a;} 
cannot be proved with Thm. 8, since f(a) f(b) for any extension of an 
ordering on constructor terms. But termination is shown with Thm. 11 using S = 
{a — >■ b}. A variant of Thm. 11 for innermost termination holds if S is innermost 
terminating (and possibly duplicating). However, this variant only proves inner- 
most termination of 7^ U 5 which does not imply innermost termination of TZ. 

So Thm. 8 and Thm. 11 are new contributions that show which reduction 
pairs are admissible in order to use size-change termination for termination or 
innermost termination proofs of TRSs. In this way, size-change termination be- 
comes an automatic technique, since one can use classical techniques from ter- 
mination of term rewriting to generate suitable reduction pairs automatically. 

4 Comparison with Orderings from Term Rewriting 

Traditional techniques for TRSs prove simple termination where TZ is simply ter- 
minating iff it is compatible with a simplification ordering (e.g., LPO or RPOS 
[5,9], KBO [10], most polynomial orderings [12]). Equivalently, TZ is simply ter- 
minating iff 77. U Emb j: terminates for 7^’s signature T . Similar to traditional 
techniques, the size-change principle essentially only verifies simple termination. 

Theorem 12 (Size-Change Principle and Simple Termination). 

(a) A TRS TZ over a signature T is size-change terminating w.r.t. a reduction 
pair (^, )^) iff TZVJ Emby^ is size-change terminating w.r.t. (^,)^). 

(b) Let S be as in Thm. 11. If S is simply terminating and TZ is size-change 
terminating w.r.t. (—>-5,— >-5) onT{T,V), then TZU S is simply terminating. 

Proof, (a) The “if” direction is obvious. For the “only if” direction, note that 
Embyr yields no new size-change graphs. But due to Embc, all constructors 




270 Rene Thiemann and Jurgen Giesl 



are transformed into defined symbols. So from the 7?.-rules we obtain addi- 
tional size-change graphs whose input nodes are labelled with (former) con- 
structors (i.e., Ic, • ■ • ,Uc for c € C). However, since output nodes are never 
labelled with constructors, this does not yield new maximal multigraphs 
(since there, output and input nodes are labelled by the same function). 
Hence, size-change termination is not affected when adding Emby^. 

(b) As in (a), adding Embx> to TZ yields no new size-change graphs and thus, 
T^U Emb-D is also size-change terminating w.r.t. (—>- 5 ,— >- 5 ) and hence, also 
w.r.t. {-^*suEmbc'’^SuEmbc)- S^JEmbc is terminating, Thm. 11 implies 
termination of 7?. U Embx> U 5 U Embc, i.e., simple termination of 7?. U 5. □ 

The restriction to simple termination excludes many relevant TRSs. Thm. 12 
illustrates that the size-change principle cannot compete with new techniques 
(e.g., dependency pairs [1] or monotonic semantic path ordering [4]) where sim- 
plification orderings may be applied to non-simply terminating TRSs as well. 
However, these new techniques require methods to generate underlying base or- 
derings. Hence, there is still an urgent need for powerful simplification orderings. 

Now we clarify the connection between size-change termination and classical 
simplification orderings and show that they do not subsume each other in general. 

A major advantage of the size-change principle is that it can simulate the 
basic ingredients of RPOS, i.e., the concepts of lexicographic and of multiset- 
comparison. Thus, by the size-change principle w.r.t. a very simple reduction 
pair like the embedding ordering we obtain an automated method for termination 
analysis which avoids the search problems of RPOS and which can still capture 
the idea of comparing tuples of arguments lexicographically or as multisets. 

More precisely, for a reduction pair (^, :^), let "^lex and >~raui result from com- 
paring tuples s* and t* of terms lexicographically and as multisets, respectively. 
If s* yiex it for all 1 < i < A:, then the TRS {/(s);) -)> /(ti), . . . , /(4) f(ip} 
is size-change terminating w.r.t. (^,)^). In particular, size-change termination 
w.r.t. the same reduction pair (^,)^) can simulate yiex for any permutation 
used to compare the components of a tuple. Similarly, if s* )^mui t* for all 
i, then this TRS is also size-change terminating w.r.t. (^,)^).^ For example, 
the TRS computing the Ackermann function as well as the TRS {plus(0,y) — >■ 
y, plus(s(x), y) — > s(plus(y, a;))} are size-change terminating w.r.t. the embed- 
ding ordering on constructors whereas traditional rewriting techniques would 
need lexicographic and recursive (multiset) path ordering, respectively. 

Since both lexicographic and multiset comparison are simulated by the size- 
change principle using the same reduction pair, one can also handle TRSs like 
Ex. 2 where traditional path orderings like RPOS (or KBO) fail. In the first rule 
f(s(x),j/) — >■ f(a;,s(a;)) the arguments of f have to be compared lexicographically 
from left to right and in the second rule f(x,s(y)) — >■ ^{y,x) they have to be 
compared as multisets. If one adds the rules for the Ackermann function then 
polynomial orderings fail as well, but size-change termination is proved as before. 

However, compared to classical path orderings, the size-change principle also 
has several drawbacks. One problem is that it can only simulate lexicographic and 

^ Formal proofs for these observations can be found in [14, Thm. 14 and Thm. 15]. 
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multiset comparison for the arguments of the root symbol. Hence, if one adds a 
new function on top of all terms in the rules, this simulation is no longer possible. 
For example, the TRS {f(plus(0, y)) — >■ f(i/), f (plus(s(x), y)) — >■ f(s(plus(y, x)))} is 
no longer size-change terminating w.r.t. the embedding ordering, whereas classi- 
cal path orderings can apply lexicographic or multiset comparisons on all levels 
of the term. Thus, termination would still be easy to prove with RPO. 

Perhaps the most serious drawback is that the size-change principle lacks 
concepts to compare defined function symbols syntactically. Consider a TRS 
with the rule log(s(s(x))) — > s(log(s(half(x)))) and rules for half such that half(x) 
computes [|J. If a function (like log) calls another defined function (like half) 
in the arguments of its recursive calls, one has to check whether the argument 
half(x) is smaller than the term s(x) in the corresponding left-hand side. The 
size-change principle on its own offers no possibility for that and its mechanizable 
versions (Thm. 8 and Thm. 11) fail since they only use an underlying ordering 
on constructor terms. In contrast, classical orderings like RPO can easily show 
termination automatically using a precedence log > s > half on function symbols. 

Finally, the size-change principle has the disadvantage that it cannot measure 
terms by combining measures of subterms as in polynomial orderings or KBO. 
Example 13. Measures (weights) are especially useful if one parameter is increas- 
ing, but the decrease of another parameter is greater than this increase. So termi- 
nation of {plus(s(s(x)), y) — >■ s(plus(x,s(y))), plus(x, s(s(y))) — >• s(plus(s(x), y)), 
plus(s(0), y) — > s(y), plus(0, y) — >■ y} is trivial to prove with polynomial orderings 
or KBO, but the TRS is not size-change terminating w.r.t. any reduction pair. 

5 Comparison and Combination with Dependency Pairs 

Now we compare the size-change principle with dependency pairs. In contrast to 
other recent techniques [4,6], dependency pairs and size-change graphs are both 
built from recursive calls which suggests to combine these approaches to benefit 
from their respective advantages. We recapitulate the concepts of dependency 
pairs; see [1,7,8] for refinements and motivations. Let = {/** | / G 27} be a set 
of tuple symbols, where /** has the same arity as / and we often write F for /**, 
etc. If t = g(ti, . . . ,tm) with y G 27, we write t^ for g^(t\,... ,tm). If / — >■ r G 77. 
and t is a subterm of r with defined root, then the rule t^ is a, dependency 
pair of 77. So the dependency pairs of the TRS from Ex. 2 are 

F(s(x),y) ^ F(x,s(x)) (4) F(x, s(y)) F(y, x) (5) 

We always assume that different occurrences of dependency pairs are variable 
disjoint. Then a TRS is (innermost) terminating iff there is no infinite (inner- 
most) chain of dependency pairs. A sequence si — >■ ti, S 2 — >■ ^ 2 , ■ ■ • of dependency 
pairs is a chain iff t^a — Sj+icr for all i and a suitable substitution a. The se- 
quence is an innermost chain iff tia Si+icr and all are in normal form. 

To estimate which dependency pairs may occur consecutively in chains, one 
builds a so-called dependency graph. Let CAp(t) result from replacing all sub- 
terms of t with defined root symbol by different fresh variables and let REN(t) 
result from replacing all occurrences of variables in t by different fresh variables. 
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For instance, CAp(F(a;, s(a:))) = F(x,s(a;)) and REN(F(a;, s(a;))) = F(a:i, s(x 2 )). 
The (estimated) dependency graph is the directed graph whose nodes are the 
dependency pairs and there is an arc from s — >■ t to w iff REN (cap (t)) and 

V are unifiable. In the (estimated) innermost dependency graph there is only an 
arc from s — >■ t to w — >■ w iff CAp(t) and v are unifiable. For the TRS of Ex. 2, 
the dependency graph and the innermost dependency graph are identical and 
each dependency pair is connected with itself and with the other pair. 

A non-empty set V of dependency pairs is a cycle if for any pairs s ^ t and 

V ^ w in V there is a non-empty path from s ^ t to v ^ w which only traverses 
pairs from P. In our example we have the cycles {(4)}, {(5)}, and {(4), (5)}. If a 
cycle only contains dependency pairs resulting from the rules TZ' QTZ we speak of 
an TV -cycle of the dependency graph of TZ. Finally, for / G we define its usable 
rules U{f) as the smallest set containing all /-rules and all rules that are usable 
for function symbols occurring in right-hand sides of /-rules. In our example, 
the usable rules for f are (1) and (2). For T>' CD let U{V) = (J/gK' ^(/)- 
Theorem 14 (Dependency Pair Approach [1]). A TRS TZ is terminating 
ijf for each cycle V in the dependency graph there is a monotonic reduction pair 

on T {T iJ ,V) such that 

(O') s'^t for all s ^ t € P and s t for at least one s ^ t € P 

(^) ^ ^ for all I ^ r G P. 

P is innermost terminating if for each cycle P in the innermost dependency 
graph there is a monotonic reduction pair (^, )^) on P{iF\J V) such that 

(c) sf^t for all s ^ t G P and s >- t for at least one s ^ t GP 

(d) l^r for all I ^ r G U{V), 

where P' = {f \ f G P occurs in t for some s ^ t G P}. 

For the TRS of Ex. 2, in P = {(4), (5)} we must find a reduction pair where 
one dependency pair is weakly (w.r.t. ^) and one is strictly decreasing (w.r.t. 
>-). Since does not have to be monotonic, one typically uses a standard simpli- 
fication ordering combined with an argument filtering to eliminate argument po- 
sitions of function symbols. For example, we may eliminate the second argument 
position of F. Then F becomes unary and every term F(s,t) is replaced by F(s). 
The constraint F(s(a:)) F(x) resulting from Dependency Pair (4) is easily satis- 
fied but there is no reduction pair satisfying F(x) ^ F(t/) from Dependency Pair 
(5). Indeed, there is no argument filtering such that the constraints of the depen- 
dency pair approach would be satisfied by a standard path ordering like RPOS or 
KBO. Moreover, if one adds the rules f{x,y) -G ack{x,y), ack{s{x),y) -G f{x,x), 
and the rules for the Ackermann function ack, then the dependency pair con- 
straints are not satisfied by any polynomial ordering either. 

Thus, termination cannot be proved with dependency pairs in combination 
with classical orderings amenable to automation, whereas the proof is very easy 
with the size-change principle and a simple reduction pair like the embedding 
ordering on constructors. While the examples in [13] are easily handled by depen- 
dency pairs and RPOS, this shows that there exist TRSs where the size-change 
principle is preferable to dependency pairs and standard rewrite orderings. 
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In fact, size-change termination encompasses the concept of argument filter- 
ing for root symbols, since it concentrates on certain arguments of (root) function 
symbols while ignoring others. This is an advantage compared to dependency 
pairs where finding the argument filtering is a major search problem. Moreover, 
the size-change principle examines sequences of function calls in a more sophisti- 
cated way. Depending on the different “paths” from one function call to another, 
it can choose different arguments to be (strictly) decreasing. In contrast, in the 
dependency pair approach such choices remain fixed for the whole cycle. 

But in addition to the drawbacks in Sect. 4, a disadvantage of the size-change 
principle is that it is not modular, i.e., one has to use the same reduction pair for 
the whole termination proof whereas dependency pairs permit different orderings 
for different cycles. The size-change principle also does not analyze arguments 
of terms to check whether two function calls can follow each other, whereas in 
dependency graphs, this is approximated using CAP and ren. Again, the most 
severe drawback is that the size-change principle offers no technique to compare 
terms with defined symbols, whereas dependency pairs use inequalities of the 
form I ^ r for this purpose. Therefore, only very restricted reduction pairs may 
be used for the size-change principle in Thm. 8 and 11, whereas one may use 
arbitrary monotonic reduction pairs for the dependency pair approach. In fact, 
dependency pairs are a complete technique which can prove termination of every 
TRS, which is not true for the size-change principle (see e.g.. Ex. 13). 

Therefore, we introduce a new technique to combine dependency pairs and 
size-change termination. A straightforward approach would be to use size-change 
termination as the “base ordering” when trying to satisfy the constraints result- 
ing from the dependency pair approach. However, this would be very weak due 
to the restrictions on the reduction pairs in Thm. 8 and Thm. 11. Instead, we 
incorporate the size-change principle into the dependency pair approach and 
use it when generating the constraints. The resulting technique is stronger than 
both previous approaches: If (innermost) termination can be proved by the size- 
change principle or by dependency pairs using certain reduction pairs, then it can 
also be proved with our new technique using the same reduction pairs. On the 
other hand, there are many examples which cannot be proved by the size-change 
principle and where dependency pairs would require complicated reduction pairs 
(that can hardly be generated automatically), whereas with our combined tech- 
nique the (automatic) proof works with very simple reduction pairs, cf. [14]. 

Obviously, size-change graphs and dependency pairs have a close correspon- 
dence, since they both represent a call of a defined symbol g in the right-hand 
side of a rewrite rule /(si, . . . , s„) — >■ ...g(ti,...,tm)---Smce we only need to con- 
catenate size-change graphs which correspond to cycles in the (innermost) depen- 
dency graph, we now label size-change graphs by the corresponding dependency 
pair and multigraphs are labelled by the corresponding sequence of dependency 
pairs.Then two size-change graphs or multigraphs labelled with and {D' 

may only be concatenated if there is an arc from I? to D' in the (innermost)^ 

® Whether one regards the dependency graph or the innermost dependency graph 
depends on whether one wants to prove termination or innermost termination. 
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dependency graph. Another problem is that in size-change graphs one only has 
output nodes 1 /, . . . , n/ and input nodes Ig, . . . , rUg to compare the arguments of 
/ and g. Therefore, the size-change principle cannot deal with TRSs like Ex. 13 
where one has to regard the whole term in order to show termination. For that 
reason we add another output node e/ and input node eg which correspond to 
the whole terms (or more precisely, to the terms E(si, . . . , Sn) and G(ti , . . . , 
of the corresponding dependency pair). 

Definition 15 (Extended Size-Change Graphs). Let (^,y) be a reduc- 
tion pair on T{iFU iF‘^,V). For every /(si,...,s„) r G TZ and subterm 
g{t\, . . . ,tm) of r with g G T), the extended size-change graph has n -I- 1 out- 
put nodes if and m-\-l input nodes jg where i G {e, 1, . . . , n}, j G {e, 1, . . . , m}. 
Let s = F{s \, . . . , Sn) and t = G{ti , . . . , tm)- Then there is an edge if ^ jg iff 
s|i t\j and otherwise, there is an edge if ^ jg iff s\i ^ t\j. Every extended size- 
change graph is labelled by a one-element sequence (E(si, ..., s„) -G G(ti, ...,tm))- 

Concatenation of extended size-change graphs to extended multigraphs works 
as in Def. 3. However, if G is a multigraph labelled with {D \, . . . , I?„) and H is 
labelled with {D [, . . . , D'^), then they can only be concatenated if there is an arc 
from Dn to D[ in the (innermost) dependency graph. The concatenation G’H 
is labelled with {Di , . . . , D„, D (, . . . , 

In the remainder, when we speak of size-change graphs or multigraphs, we 
always mean extended graphs. To combine dependency pairs and the size-change 
principle now we only regard multigraphs labelled with a cycle V of the (inner- 
most) dependency graph (i.e., they are labelled with (ZJi, . . . , I?„) such that 
V = {Di, . . . , Dn\). Moreover, one may use different reduction pairs for the 
multigraphs resulting from different cycles. To benefit from the advantages of 
the size-change principle (i.e., combining lexicographic and multiset comparison 
and using different argument filterings and strict inequalities within one cycle), 
we do not build inequalities but size-change graphs out of the dependency pairs. 

The following theorem combines dependency pairs and the size-change princi- 
ple for full termination (Thm. 11). In contrast to Thm. 11 we now allow arbitrary 
reduction pairs. However, to handle defined symbols properly, one then has to re- 
quire that all rules are weakly decreasing (like in the dependency pair approach) . 
Alternatively, as in Thm. 11 one may also use reduction pairs (— >- 5 ,— >- 5 ) for a 
terminating non-duplicating TRS S over the constructors of TZ without requiring 
that TVs rules are weakly decreasing. For example, in this way one can prove ter- 
mination of the Ackermann TRS with the embedding ordering (i.e., S = Embc). 
However, in order to use (— >- 5 ,— >- 5 ) for some cycles and other reduction pairs 
(^, :^) for other cycles, one has to prove termination of 7?.U5 instead of just TZ. 

Example 16. Let TZ = {g(f(a)) — >• g(f(b)), f(b) — >• f(a)} and 5 = {a — >• b}. For 
the only cycle |G(f(a)) — >• G(f(b))} of TVs dependency graph, size-change ter- 
mination can be shown by (— >■ J , — >■ J ) . So if one only regards TZ instead of 7?. U 5, 
one could falsely “prove” termination of TZ. Instead, {F(b) — > F(a)} must also be 
regarded, since it is an 7^-cycle of the dependency graph of 7?. U 5 (in 7^ U 5, a is 
a defined symbol). Moreover, for reduction pairs (^, )^) yf (—>- 5 , “^ 5 )) one has to 
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demand I ^ r not only for the rules 1 — >■ r of 7?,, but for those of S as well. Oth- 
erwise, the constraints for the cycle {F(b) — F(a)} would falsely be satisfiable. 

By Thm. 17, the resulting termination criterion is sound, complete, and more 
powerful than the size-change principle or dependency pairs on their own. 
Theorem 17 (Termination Proofs). LetTZ be a TRS over T with construc- 
tors C and let S be a terminating non- duplicating TRS over C. TZ (and even 
TZUS) is terminating iff for each TZ-cycle V in the dependency graph ofTZUS 
there is a monotonic reduction pair (^, y) on'T{iF U iF^,V) such that 

(a) all maximal multigraphs w.r.t. (^,)^) labelled with V contain an edge i ^ i 

(b) ^=—>-5 and )^=— >-5 or I'^r for all I ^ r gTZUS 

IfTZ is size-change terminating w.r.t. (—>- 5 ,— >- 5 ) as in Thm. 11 or if a reduction 
pair satisfies Conditions (a) and (b) of Thm. If for termination with dependency 
pairs, then this reduction pair also satisfies the conditions of this criterion. 

Proof. Thm. 17 simulates size-change termination (Thm. 11): If all maximal mul- 
tigraphs contain i ^ i, this also holds for maximal multigraphs labelled with V. 
It simulates dependency pairs by choosing 5 = 0 : By Thm. 14 (a), multigraphs 
labelled with V contain e e. As dependency pairs are complete for termination 
(even with estimated or no dependency graphs), this proves the “only if” part. 

For the “if” direction, suppose that 77. U 5 is not terminating. Since S termi- 
nates, by Lemma 10 and the soundness of dependency pairs, there is an infinite 
chain si — >■ ti,S 2 — >■ ^ 2 , • ■ • of 77-dependency pairs such that tta — Si+icr 
for all i and a substitution a, and si = s** for a minimal non-terminating term 
s w.r.t. 77 U 5. Moreover, there is an 77-cycle V consisting of those dependency 
pairs which occur infinitely often in this chain. Let i\ <12 < ... such that 
— >■ tij, . . . , — >■ tij+ 1 - 1 } = V for all j, i.e., we partition the sequence 

into parts where all dependency pairs of V occur. For all j, let Gj be the multi- 
graph resulting from the concatenation of the size-change graphs corresponding 
to Si - ti-,. . . , Si-^^-i — >■ Note that all Gj are labelled with V. 

Due to (a), every multigraph H resulting from concatenation of size-change 
graphs contains an edge of the form i ^ i, provided that H = H • H and that 
H is labelled with V. Hence, every idempotent multigraph H = H • H resulting 
from concatenating graphs from G\,G2, ■ . . also contains an edge i ^ i. The 
reason is that since all Gj are labelled with V, then H is also labelled with V. 

From this, [13, Thm. 4] or [14, Lemma 7] implies that there is an infinite path 
with infinitely many “ -edges in the infinite graph resulting from Gi, G 2 , . . . 
by identifying the input nodes of Gj with the output nodes of Gj+i. Hence, there 
is also such a path in the infinite graph resulting from the size-change graphs 
corresponding to si — >■ ti, S 2 — >■ ^ 2 , ■ • • Without loss of generality, we assume that 
the infinite path already starts in the size-change graph corresponding to Si — >■ ti. 
For every i, let Oi be the output node in the size-change graph of Si — >■ U which 
is on this path. For infinitely many i we have SilajCr tijoi+iCr and otherwise, 
we have Si\ai<J ^ Glai+iC, since ^ and are closed under substitutions. 

If the reduction pair (^, y) is (—>- 5 , —>- 5 ), then we obtain a contradiction to 
the minimality of s similar as in the proof of Thm. 11. Otherwise, ^ 




276 Rene Thiemann and Jurgen Giesl 



Si+ilai+iCT due to (b) since ti\a^^■^(7 — >-^uS Hence, we have an infinite 

decreasing sequence w.r.t. which contradicts its well-foundedness. □ 

For innermost termination, we integrate Thm. 8 with dependency pairs. (In- 
tegrating a variant of Thm. 1 1 for innermost termination would only prove in- 
nermost termination of 7?. U 5 which does not imply innermost termination of 
TZ.) In the dependency pair approach for innermost termination, only the usable 
rules for defined symbols in right-hand sides t of dependency pairs s — >■ t must be 
weakly decreasing. Here, one can benefit from the size-change principle, which 
restricts the comparison of terms to certain arguments. Symbols of t which do 
not occur in the arguments being compared do not have to be regarded as “us- 
able”. More precisely, if one uses the extension of a reduction pair which only 
compares terms with defined symbols from a subset T>' C D, then one only has 
to require weak decreasingness of U (T>') . So here the size-change principle has 
the advantage that one can reduce the set of usable rules. 

For example, the Ackermann TRS has the rule ack(s(x), s(y)) — !> ack(cc, 
ack(s(a;), j/)) and therefore, we obtain the dependency pair ACK(s(a;), s(y)) — >■ 
ACK(a;, ack(s(x), y)). Since ack occurs in the right-hand side of this dependency 
pair, in the dependency pair approach we would have to require I ^ r for all 
ack-rules since they would be regarded as being usable. For this reason, we 
would need a lexicographic comparison. However, in our new technique, the 
ACK-dependency pairs are transformed into size-change graphs and size-change 
termination can easily be shown using the embedding ordering on constructor 
terms (i.e., V = 0). In other words, the second argument of ACK(a;, ack(s(a;), y)) 
is never regarded in this comparison and therefore, the ack-rules are no longer 
usable. So instead of LPO we only need the embedding ordering to satisfy the 
resulting constraints. Hence, in the combined technique one can often use much 
simpler reduction pairs than the reduction pairs needed with dependency pairs. 

Here it is important that extensions are non-monotonic. Consider the TRS of 
Ex. 16 and a reduction pair on constructor terms (i.e., T>' = 0) where a is greater 
than b. Hence, we do not have to regard any usable rules. In the extension (^, y) 
of this reduction pair we have f(a) ^ f(b). Thus, the dependency pair G(f(a)) — >• 
G(f(b)) is not decreasing, i.e., innermost termination is not proved. But if the 
extension were monotonic, we would falsely prove innermost termination of 7Z. 
Theorem 18 (Innermost Termination Proofs). A TRS TZ is innermost 
terminating if for each cycle V in the innermost dependency graph there is a 
reduction pair on T(C U U' U iF**, V) for some T>' C T> which is monotonic if 
V yf 0, such that for its extension (^, f) to T {T iJ ,V) we have 

(a) all maximal multigraphs w.r.t. (^,f) labelled with V contain an edge i ^ i 
^ ^ for all I ^ r G U{V) 

IfTZ is size-change terminating w.r.t. a reduction pair as in Thm. 8 or if a reduc- 
tion pair satisfies Conditions (c) and (d) of Thm. 14 for innermost termination 
with dependency pairs, then it also satisfies the conditions of this criterion. 
Proof. Thm. 18 can simulate the size-change principle: As in Thm. 17, size- 
change termination implies (a). Moreover, if (F^ ;^) is the extension of a reduction 
pair on T(C, V) as in Thm. 8, then V = 0 and thus, (b) is also satisfied. 




Size-Change Termination for Term Rewriting 277 



The simulation of dependency pairs and the soundness of the above criterion 
are shown as for Thm. 17. If TZ is not innermost terminating, then there is an 
infinite innermost chain si — >■ t\, S 2 ^ 2 , ■ ■ • with tia Si+iCT and all SiU are 
normal forms. As in Thm. 17’s proof, this implies that in the infinite graph re- 
sulting from the corresponding size-change graphs there is an infinite path with 
infinitely many “ labels. For every i, let be the output node in the size- 
change graph corresponding to Si — >■ U which is on this infinite path. To conclude 
U\ai+iCr ^ Si+i|a,+iCr, note that Si|a, U\ai +1 Or Si|a, U\ai+i- According to 
the definition of extending reduction pairs, all subterms of with root 

from 'D\T>' also occur in Si|a,. Hence, when instantiated by a they are in 
normal form. Therefore, the only rules applicable to are from U(T>'). 

Moreover, above the redexes of tiloi+iCT there are no symbols from T>\'D' , since 
otherwise these redexes would also occur in the normal form Si|a,cr. Now (b) 
ensures ^ Si+i|oj+iCr. The remainder is as in Thm. 17’s proof. □ 

The combined technique handles TRSs where both original techniques fail, 
since some rules require lexicographic or multiset comparison and others re- 
quire polynomial orderings. In the combined technique, lexicographic or multi- 
set comparison is implicit since the size-change principle is incorporated. Thus, 
the resulting constraints are often satisfied by simple polynomial orderings. For 
example, we unite the plus-TRS (Ex. 13) with the TRS for Ackermann’s func- 
tion, where ack{s{x) , s{y)) — >• ack(a;, ack(s(a;), y)) is replaced by ack(s(a;), s(y)) — >• 
ack(a;, plus(y, ack(s(x), y))). In the original dependency pair approach, both the 
ack- and plus-rules are usable for the corresponding dependency pair and thus, no 
standard ordering amenable to automation fulfills the resulting constraints. But 
in the combined technique, there are no usable rules and hence, the innermost 
termination proof works with the simple polynomial ordering on constructors 
and tuple symbols where s(a;) is mapped to x -I- 1 and PLUS(a;,y) is mapped to 
a: -|- y. In practice, there are many TRSs where the combined technique simpli- 
fies the termination proof significantly (e.g., TRSs for arithmetic operations, for 
sorting algorithms, for term manipulations in A-calculus, etc., cf. [14]). 

In [1,7], refinements to manipulate dependency pairs by narrowing, rewriting, 
and instantiation were proposed. These refinements directly carry over to our 
combined technique. To summarize, the combination of dependency pairs and 
the size-change principle has two main advantages: First, one can now prove 
(innermost) termination of TRSs automatically where up to now an automated 
proof was impossible. Second, for many TRSs where up to now the termination 
proof required complicated reduction pairs involving a large search space, one 
can now use much simpler orderings which increases efficiency. 

6 Conclusion 

We extended the size-change principle to prove (innermost) termination of arbi- 
trary TRSs. Then we compared it with classical simplification orderings from 
rewriting: It is also restricted to simple termination, it incorporates lexicographic 
and multiset comparison for root symbols (although not below the root), but it 
cannot handle defined symbols or term measures and weights. 
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Nevertheless, there are even examples where the size-change principle is ad- 
vantageous to dependency pairs, since it can simulate argument filtering for root 
symbols and it can investigate how the size of arguments changes in sequences 
of function calls. On the other hand, the size-change principle is not modular 
and it lacks a concept like the dependency graph to analyze which function calls 
can follow each other. Therefore, we developed a new approach to combine the 
size-change principle with dependency pairs. The combined approach is more 
powerful than both previous techniques and has the advantage that it often 
succeeds with much simpler argument filterings and base orderings than the de- 
pendency pair approach. We have implemented both the original dependency 
pair approach and the combined approach in the system AProVE and found that 
this combination often increases efficiency dramatically. With this combination 
and a reduction pair based on the lexicographic path ordering, 103 of the 110 
examples in the collection of [2] could be proved innermost terminating fully 
automatically. Most of these proofs took less than a second; the longest took 
about 10 seconds. The remaining 7 examples only fail because of the underlying 
reduction pair (e.g., one would need polynomial orderings or KBO). For details 
on the experiments see [14]. 

References 

1. T. Arts and J. Giesl. Termination of term rewriting using dependency pairs. The- 
oretical Computer Science, 236:133-178, 2000. 

2. T. Arts and J. Giesl. A collection of examples for termination of term rewriting 
using dependency pairs. Technical Report AIB-2001-09, RWTH Aachen, 2001. 

3. F. Baader and T. Nipkow. Term Rewriting and All That. Cambr. Univ. Pr., 1998. 

4. C. Borralleras, M. Ferreira, and A. Rubio. Complete monotonic semantic path 
orderings. In Proc. 17th CADE, LNAI 1831, pages 346-364, 2000. 

5. N. Dershowitz. Termination of rewriting. J. Symbolic Comp., 3:69-116, 1987. 

6. O. Fissore, I. Gnaedig, and H. Kirchner. Induction for termination with local 
strategies. In Proc. 4th Int. Workshop Strategies in Aut. Ded., ENTCS 58, 2001. 

7. J. Giesl and T. Arts. Verification of Erlang processes by dependency pairs. Appl. 
Algebra in Engineering, Communication and Computing, 12(l,2):39-72, 2001. 

8. J. Giesl, T. Arts, and E. Ohlebusch. Modular termination proofs for rewriting 
using dependency pairs. Journal of Symbolic Computation, 34(l):21-58, 2002. 

9. S. Kamin and J. J. Levy. Two generalizations of the recursive path ordering. 
Unpublished Manuscript, University of Illinois, IL, USA, 1980. 

10. D. Knuth and P. Bendix. Simple word problems in universal algebras. In J. Leech, 
editor. Comp. Problems in Abstr. Algebra, pages 263-297. Pergamon, 1970. 

11. K. Kusakari, M. Nakamura, and Y. Toyama. Argument filtering transformation. 
In Proc. 1st PPDP, LNCS 1702, pages 48-62, 1999. 

12. D. Lankford. On proving term rewriting systems are Noetherian. Technical Report 
MTP-3, Louisiana Technical University, Ruston, LA, USA, 1979. 

13. C. S. Lee, N. D. Jones, and A. M. Ben-Amram. The size-change principle for 
program termination. In Proc. POPL ’01, pages 81-92, 2001. 

14. R. Thiemann and J. Giesl. Size-change termination for term rewriting. Report 
AIB-2003-02, RWTH Aachen, 2003. http://aib.informatik.rwth-aachen.de. 

15. Y. Toyama. Counterexamples to the termination for the direct sum of term rewrit- 
ing systems. Information Processing Letters, 25:141-143, 1987. 




Monotonic AC-Compatible 
Semantic Path Orderings 



Cristina Borralleras^ and Albert Rubio^* 

^ Universitat de Vic, Spain 
Cristina. borrallerasSuvic . es 
^ Universitat Politecnica de Catalunya, Barcelona, SPAIN 
rubioOlsi . upc . es 



Abstract. Polynomial interpretations and RPO-like orderings allow one 
to prove termination of Associative and Commutative (AC-)rewriting 
by only checking the rules of the given rewrite system. However, these 
methods have important limitations as termination proving tools. 

To overcome these limitations, more powerful methods like the depen- 
dency pair method have been extended to the AC-case. Unfortunately, 
in order to ensure AC-termination, the so-called extended rules, which, 
i n gneral , are hrd t o p ro ve, must b added t o t h rem t e syst em. 
In this paper we present a fully monotonic AC-compatible semantic path 
ordering. This monotonic AC-ordering defines a new automatable termi- 
nation proving method for AC-rewriting which does not need to consider 
extended rules. As a hint of the power of this method, we can easily prove 
several non-trivial examples appearing in the literature, including one 
that, to our knowledge, can be handled by no other automatic method. 



1 Introduction 



In programming, as well as in theorem proving, it is very common to have binary 
operators which satisfy the associative and commutative properties. However, 
such axioms cannot be treated as additional rules in the rewrite system (e.g., 
commutativity cannot be oriented by any well-founded ordering), and hence 
they require a special treatment. The most common approach to deal with AC 
symbols is rewriting modulo AC, that is, rewriting using matching modulo asso- 
ciativity and commutativity to detect the applicability of the rules. The following 
example (taken from [MU98]) describes addition (-I-) and multiplication (*) for 
natural numbers in binary notation defined by a constant ff, denoting the empty 
sequence of digits, and two unary postfixed functions (_)0 and (_)1, to add O’s 
and I’s to the right. For instance, 5 is written as (((#)1)0)1. 
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Example 1. In this example both + and * are AC-symbols. 

(#) 0 ^# 

a; + # — >■ X 

(x)0 + (y)0 -)> (x + y)0 
(x)0 + (y)l (x + y)l 
(x)l + {y)l {x + y + (#)1)0 

X * {y)0 — >■ (x * y)0 
X * (y)l — >■ X + (x * y)Q 

Due to the fact that rewriting is performed modulo the AC-axioms, proving 
termination becomes a more difficult task. In particular, the applied method 
must be AC-compatible, which roughly means that all terms in the same AC- 
equivalent class are treated in the same way. When using an ordering-based 
termination proof method, AC-compatibility means that if some term s is greater 
than some term t, then any term that is AC-equivalent to s is greater than any 
term that is AC-equivalent to t. 

Many efforts have been made[BCL87,BP85,KSZ95,DP93,RN95,KS00,Rub02] 
in order to obtain AC-compatible simplification orderings (i.e., monotonic order- 
ings including the subterm relation) by extending the methods used for standard 
rewriting. 

These methods are, in general, well suited for automation. However, as for 
standard rewriting, such AC-compatible simplification orderings have impor- 
tant limitations as termination proving tools. For instance, there are many term 
rewrite systems (TRSs) that are terminating but are not contained in any sim- 
plification ordering, i.e., they are not simply terminating. 

In [MU98,KT01,Urb0I] the dependency pair method [AGOO], which can prove 
termination of TRSs that are not simply terminating, is adapted to deal with 
AC-rewriting, and in [GKOl] it is adapted for rewriting modulo more general 
equational theories. All these AC-versions of the dependency pair method need 
to consider the so-called extended rules. For the AC-case this means to add to 
the set of rules one extended rule f{l,x) — >■ f{r,x), where x is a new variable, 
for every rule I — >■ r with I headed by an AC-symbol /. In the previous example 
we have to add 

x+#+z^x+z 

(x)0 -I- {y)0 + z ^ {x + y)0 + z 

(x)0 -I- (y)l -I- 2 — >■ (x -I- y)l + z 

(x)l + {y)l + z ^ {x + y + (#)1)0 -b z 



X * (y)0 * 2 — >■ (x * y)0 * z 
X * (y)l * 2 — >■ X -b (x * y)0 * z 
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These extended rules are needed to ensure monotonicity with respect to the AC- 
symbols. But adding them to the system usually makes the termination proof 
harder. 

An alternative to the dependency pair method is the use of the monotonic 
semantic path ordering (MSPO; [BFROO]), which is a monotonic version of the 
semantic path ordering (SPO; [KL80]). The SPO generalizes path orderings like 
Dershowitz’s recursive path ordering (RPO; [Der82]) by replacing the use of a 
precedence by the use of any measure, defined by an underlying quasi- ordering , 
involving the whole term and not only the head symbol. 

The aim of this paper is to adapt the MSPO to deal with AC symbols, obtain- 
ing a fully monotonic AC-ordering which allows us to avoid the use of extended 
rules. Following the ideas used to adapt RPO to the AC-case in [Rub02], SPO 
has been adapted to obtain an associative and commutative SPO (ACSPO). 
After that, a monotonic version of ACSPO, called ACMSPO, is obtained. Even 
though the ACSPO and the ACRPO share the same structure, finding the ap- 
propriate formulation of the ordering was not an easy task. In order to ensure 
the properties of the ACSPO and the ACMSPO, some new conditions on the 
underlying quasi-ordering used inside SPO are needed. These conditions have 
to be tight, otherwise the ordering becomes too weak. Additionally, to ensure 
stability under substitutions it is necessary to linearize some variables of the 
terms, but, fortunately, we have shown that this is only required in a single case. 

With ACMSPO we have been able to obtain a simple termination proof for 
the ternary integral arithmetic example used in [CMR97] for computing addition 
and multiplication of integers in balanced ternary notation, where there are three 
unary postfixed functions (x)0, (x)l and {x)j representing respectively 3cc, 3x-|-l 
and 3a; — 1 (see also [Knu97], pages 207 and 208 for further details). 



Example 2. Both -|- and * are AC-symbols. 



(#) 0 ^# 

x + ^ ^ X 

(a;)0-b (i/)0 (x-bi/)0 

(a;)0-b {y)l -)> {x-\-y)l 
(a;)0 -b {y)j (a; -b y)j 
(a;)l-b {y)j -)> (a;-bj/)0 
(a;)l -b (j/)l -)> (a; -b j/ -b (#)l)j 
{x)j + (y)j ^ {x + y+ (#)j)l 



X — y ^ X opp{y) 
opp{#) # 
opp{{x)Q) — >■ {opp{x))0 
opp{{x)l) {opp{x))j 
opp{{x)j) {opp{x))l 

X * (y)0 — >■ (x * y)0 
X * (y)l — >■ X -b (x * y)0 
^ * {y)j {x * y)0 -b opp{x) 



Proving termination of this example is not trivial at all. In [CMR97] there is a 
quite complex ad-hoc hand-tailored proof of termination based on a lexicographic 
combination of three interpretations on the non-negative integers. In [MU98] 
an AC-version of the dependency pairs method [AGOO] was used for proving 
termination of this example (together with its extended rules), but the use of 
some AC-marked symbols, which was necessary to deal with the example, turned 
out to be unsound. 
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As shown for MSPO [BR02], the ACMSPO method can be fully automated 
in a constraint solving based system (see Section 6 for details) . 

The paper is organized as follows. The next section is devoted to preliminaries 
on orderings and AC-rewriting. In Section 3, the AC semantic path ordering 
(ACSPO) , on which we will build our method, is introduced. A monotonic version 
of the ACSPO is given in Section 4. In Section 5, ACMSPO is used to check 
the termination of several examples and in Section 6 it is shown how ACMSPO 
can be implemented as a fully automated termination proving tool, using a 
constraint framework similar to the one of the dependency pair method. Finally, 
conclusions and further work are discussed in Section 7. 

Due to the lack of space we have not included any proof of the properties of 
the orderings. They can all be found in [BROS]. 

2 AC-Rewriting and Termination 

In the following we consider that .7^ is a set of function symbols, T ac the subset 
containing all the AC symbols, X a set of variables and T{T,X) is the set of 
terms built from T and X . 

Rewriting modulo AC, or AC-rewriting, consists of rewriting over the equiv- 
alence classes defined by the associativity and commutativity axioms. Therefore, 
instead of syntactic equality, rewriting modulo AC considers =ac-, the congru- 
ence generated on 1^(T,X) by the associativity and commutativity axioms for 
the symbols in Tac- 

Given a TRS 77., a term s G T{T,X) rewrites to t with 77 modulo AC, 
denoted by s -G-jziac t if s =ac s', s'|p = la for some rule I — >■ r G 77, term s', 
position p and substitution a, and t =ac s'[ra]p. 

Let s and t be arbitrary terms in 'T{fF,X), let / be a function symbol in T 
and let cr be a substitution. A quasi-ordering ^ is a transitive reflexive relation. 
Its strict part >- is the strict ordering ^ \ ^ (i.e, s y t iS s h t and s t). Its 
equivalence ~ is ^ fl Note that ^ is the disjoint union of and and that 
if = denotes syntactic equality then U = is a quasi-ordering whose strict part 
is )^. A quasi-ordering ^ is monotonic if s ^ 7 implies /(. . . s . . .) ^ /(. . . 7 . . .), 
and stable under substitutions if s ^ 7 implies sa ^ ta. 

A (strict partial) ordering is a transitive irreflexive relation. It is monotonic 
if s 7 implies /(. . . s . . .) /(. . . 7 . . .), and stable under substitutions if s 7 

implies sa >- ta. Monotonic orderings that are stable under substitutions are 
called rewrite orderings. A reduction ordering is a rewrite ordering that is well- 
founded: there are no infinite sequences t\ >- t 2 ■ 

As the rewrite relation is defined over AC-equivalence classes, any ordering 
used to prove termination of AC-rewriting has to be AC-compatible. 

Definition 1. A relation is said to be AC-compatible if it is compatible with the 
=AC relation. In particular is AC-compatible if s' =ac s > t =ac t' implies 
s' >- 7'; and ^ is AC-compatible if s' =ac s^t =ac t' implies s' ^7'. 
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Theorem 1. Let >- be an AC-compatible reduction ordering and let TZ be a TRS. 
V I ^ for all rules I ^ r G TZ then TZ is terminating for rewriting modulo AC. 

The AC-multiset extension of an AC-compatible ordering is defined in the 
standard way but using AC-equality instead of syntactic equality. 

A very common way to easily obtain AC-compatibility is to consider the 
terms flattened wrt. the AC-symbols. The flat form of t, denoted by t, is the 
normal form of t wrt. the (infinite set of) rules 

f{xi . ..Xi-i,f{yi . ..yk),Xi+i ...Xn)^ f{xi . ,.Xi-i,yi . ..yk,Xi+i . ..x„)^ 
for each / G ^Fac- E.g., let t = -\-{g{-\-{a,-\-{b,c))),-\-{d,-\-{e, f))) then t = 
-|-( 5 (-l-(a, b, c)),d, e, /). Note that due to the flattening we need to consider vari- 
able arities (greater than or equal to 2) for symbols in J^ac- 

It follows from an easy induction that s =ac t iff s and t are equal up to 
permutation of arguments for the AC-symbols. We also denote by =ac this 
equality up to permutation of arguments for the AC symbols, and by ==ac the 
standard extension of =ac to multisets. From now on, all terms are assumed to 
be in their flattened form. 

However, when considering flattened terms the ordering frequently loses the 
monotonicity property. For instance, with the recursive path ordering (RPO) 
if a symbol / is greater than a symbol g and / is an AC-symbol, we have 
that f{a,a) >~rpo g{o) but f{f{a,a),b) ifrpo f{g{o),b) as the flattened form of 
f{f{a,a),b) is f{a,a,b) and f{g{a),b) >~rpo f{o,a,b). The usual way to recover 
monotonicity consists of giving a special treatment to the small symbols like g 
when they occur below a big AC-symbol like /. 

Remark that if we have a term s in flattened form, when adding a con- 
text /(..., s, . . .), the flattening rules need to be applied at top position of the 
arguments only. Thus, we define the top-flattening of a term s wrt. an AC- 
symbol /, denoted by t//(s), as t//(/(si, . . . , s„)) = si, . . . , s„ and t//(s) = s if 
top{s) yf /. Then /(..., tff{s), . . .) is the flattened form of /(..., s, . . .) for any 
given flattened term s and flattened context /(...[]...). 

Finally, let us give some definitions, which only concerns the AC-symbols. 

A strict ordering is AC-monotonic A s >- t implies /(..., t//(s), .. .) 
/(..., tff{t), . . .) for any / G J^ac- A quasi-ordering ^ is AC-monotonic if s ^ t 
implies /(. . . ,t//(s), . . .) ^ /(■ . • ,t//(t), . . .) for any / G TFac and it fulfils the 
AC-deletion property if for all / G IFac, A n > m and 1 < ii < . . . < i^ < ri 
then /(si,...,s„) ^ /(si^, . . . , Si„). 

2.1 ACRPO 

We give a restricted version of the ACRPO in [Rub02], where the precedence, 
i.e., the well-founded quasi-ordering on the set of function symbols, is total and 
the arguments are always compared as multisets. 

In the definition of ACRPO the main difference with RPO appears when 
comparing two terms headed by some AC-symbol /. 

In this case, in order to ensure monotonicity, we have to give a different 
treatment to the arguments headed by symbols bigger than / and the arguments 
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headed by symbols smaller that /. For this reason we need to define the following 
(multi)sets of terms. 

Definition 2. Let s he a term of the form /(si, . . . , s„) with f G Tac- 

— The multiset of arguments of s headed by a big symbol, which is denoted by 
BigHead(s), is defined as {s^ | 1 < i < n A top^sf) /} 

— The multiset of arguments of s headed by a symbol not smaller than f , de- 
noted by NoSmallHead(s), is defined as {s^ | 1 < i < n A / top^sf)} 

— The set of terms embedded in s through an argument headed by a small 
symbol, denoted by EmbSmall{s) , is defined as {/(si, ■ • ■ , tff{vj), . . . , Sn) | 
S, = h(vi, ...,Vr) A f h A j G {1, . . . ,r}} 

Note that the difference between N oSmallH ead{s) and BigHead{s) is that 
the former includes the variables which are arguments of s and the latter does 
not. For AC-equivalent terms all these three (multi)sets coincide (modulo AC). 

For instance, let t = f{g{g{x,a),a),x,h{a),a) with / G Tac^ h a 
f >-j: g. Then BigHeadft) = {h{a),a}, NoSmallHead{t) = {x,h{a),a} and 
EmbSmallff) = {f{g{x, a), x, h{a), a), f{a, x, h{a), a)}. 

Additionally, we need to count the number of arguments of a term t headed 
by an AC-symbol, but in order to preserve stability under substitutions we have 
to describe the counting by means of an expression with variables. 

Definition 3. Let s be a term of the form /(si, . . . , s„) with f G Eac- Then 
ff{s) is an expression with variables on the positive integers, defined as 
ff(^f{si , . • . , ^n)) — “t” . . . “t“ ffv{,^n) ) where — x and ffv(t) — ^ if t 

is not a variable. 

For example, we have ff{f{x, y, g{x))) = x-\-y-\-l, which means the arguments 
coming from x (when applying a substitution and flattening), the ones coming 
from y plus 1. Then we can compare the amount of arguments of two terms by 
checking ff{f{x, y, g(x))) = x -h y -h 1 > x -h y = ff{f{x, y)), which is necessary 
to achieve stability under substitution. For AC-equivalent terms the counting 
coincides. 

Definition 4. Let be a well-founded total precedence and let s and t be terms 
in T{E,X). Then s = f{si...s„) )~acrpo t if and only if 

1- Si hACRPO t for some i G {l...n} or 

2. t = g{ti...tm), f g and s >acrpo U for all i G or 

3. t = g{ti...tm), f = 9 ^ Eac and {si,...,s„} >^acrpo {ti,...,tm} or 

4- t = g{ti...tm), f = g ^ Eac and s' '^acrpo t for some s' G EmbSmall{s) 
or 

5. t = g(ti...tm), f = g & Eac, s 'cacrpo t' for all t' G EmbSmalKf), 
NoSmallHead{s) >^acrpo NoSmallEleadft) and either 

(a) BigHead(s) >^acrpo BigHead(t) or 

(b) #(s) > #(t) or 

(c) #(s) > #(t) and {si,...,s„} >^acrpo {ii 
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where hACRPO is )^acrpo U =ac o.'nd >i^acrpo is the AC-multiset extension 
of >-ACRPO- 

The condition NoSmallHead{s) ^ NoSmallHead{f) ensures that every 
variable in t is taken care of by a variable in s or by an argument of s headed by 
a big symbol. Then, if by instantiation, some variable becomes a term headed 
by a big symbol, we know that some argument of the (instantiation) of s headed 
by a big symbol takes care of it. 

The following examples show the behavior of the ordering when comparing 
terms headed by the same AC-symbol. 

Example 3. Let / G Tac and h,g,a,b G E \ Tag-, and take the precedence 
h >-j: f g o j: b. Then we have 

1- s = f{g{f{Ho),a)),a) 'gacrpo f{h{o),a,a) = t by case 4 since f g 
implies f{tff{f{h{a),a)),a) = f{h{a),a,a) G EmbSmall(s). 

2. s = f{h{a),g{a)) 'gacrpo f{g{h{o)),a) = t hy case 5a, since we have 
that s 'GACRPO f{h{a),a) G EmbSmall{f) by case 4, NoSmallHead{s) = 
{h{a)}'^ACRPO 0 = NoSmallHead{t) and BigElead{s) = {h{a)}yf-ACRPO 
0 = BigHead{t). 

3. s = f{g{h{a)),a,a,a) >acrpo /(ff(/(^(a), a)), a) = t by case 5b, since we 
have #(s) = 4 > 2 = #(t), NoSmallE[ead{s) = 0 = NoSmallEleadff), 
BigHead(s) = 0 = BigHeadft) and, finally, s 'gacrpo f{h{o),a,a) = t' € 
EmbSmall{t) by applying first case 4 and then s' = f{h{a), a, a, a) "gacrpo 
f{h{a),a,a) = t' by case 5b, since NoSmallE[ead{s') = BigHead(s') = 
{h{a)} = BigEIeadft') = NoSmallHeadft'), EmbSmallft') = 0 and #{s') = 
4>3 = #(t'). 

4. s = f{h{a),a) ^acrpo /(^(a),6) = t, by case 5c, as EmbSmall{t) = 
0, NoSmallE[ead{s) = BigHead{s) = {h{a)} and NoSmallHead{t) = 
BigHeadit) = {/i(a)}, #(s) = 2 = #(t) and {h{a),a} >^acrpo {Ko),b}. 

5. s= f{h{x,y),a,y) >acrpo f{g{Hx,y)),y) = t hy case 5a, since we have 
that NoSmallElead{s) = {h{x,y),y} c^acrpo {?/} = NoSmallE{ead{t), 
BigHead(s) = {h{x,y)} >^acrpo 0 = BigHead{t) and finally, s '^acrpo 
f{h{x,y),y) = t' £ EmbSmallff) by case 5b, since NoSmallHead{s) = 

y), y} = NoSmallE[ead{t'), BigHead{s) = {h{x,y)} = BigElead{t'), 
EmbSmallft') = 0 and #(s) = y-|-2>y-|-l = 

2.2 AC-Compatible Polynomial Interpretations 

Polynomial interpretations can be used to prove AC-termination as well. To 
achieve AC-compatibility we need to define polynomial interpretations such that 
all AC-equivalent terms have the same interpretation. In this paper we will use 
polynomial interpretations as ingredient in our termination proofs. 

Then, we can define a quasi-ordering and a strict ordering using this inter- 
pretations as follows: 

— s t iff /i(s) > fj,{t) 

— s y fit iS p,{s) > p,{t) 
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To ensure monotonicity of we will only consider polynomial interpretations 
with non-negative integer coefficients. 

Note that is included in but does not coincide with the strict part 
of hii- The reason for making this distinction is that the given is stable 
under substitutions and the strict part of is not, as shown in the example: if 
Kf{x,y)) =x + y, y{g{x)) =x+l and y{h{x)) = 0 then y{g{f{zi, Z2))) = Zi + 
Z2+I and y(g(zi)) = zi + 1, and hence, y{g{f{zi, Z2))) > ^( 5 (^ 1 )) and ^( 5 (^ 1 )) ^ 
g'ig{f{zi,Z 2 ))), but replacing Z 2 by h^Zs) we have y,{g{f{zi,h{z 3 )))) = zi + 1 = 
y{g{zi)). Hence before the instantiation, g{f{zi,Z2)) and g{z\) compare in the 
strict part of and, after the instantiation, they do not. Finally, the defined 
strict ordering does not have this stability problem since g{f{zi,Z 2 )) 
g{zi). 

The following lemma gives a sufficient condition to ensure AC-compatibility. 

Lemma 1. [BCL87] Let y he a polynomial interpretation. If for all AC-symhol 
f we have that y{f{x, y)) is of the form axy + b{x + y) + c with = b + ac then 
and >-f^ are AC -compatible. 

For instance, if / and g are AC-symbols, the interpretation y defined by 
y{f{x, y)) = a; -b j/ -b 1 or by y{f{x, y)) = 2*x*y-\- x-\-y fulfills the aforemention 
conditions. 

2.3 The SPO 

To conclude the preliminaries we will recall briefly the definition of the semantic 
path ordering [KL80]. The SPO is a generalization of RPO where the comparison 
with the precedence is replaced by a comparison using an underlying quasi- 
ordering involving the whole term. 

Here we will present a slightly modified version of SPO where instead of 
using only an underlying quasi-ordering we will use a compatible ordering pair 
which includes a quasi-ordering >q and a strict ordering )^q which is compatible 
with ^Q. This is done in order to use polynomial interpretations as underlying 
quasi-ordering, since as seen, the strict polynomial ordering we have defined (is 
included in, but) does not coincide with the strict part of the given polynomial 
quasi-ordering, since the latter is not stable under substitutions (see Section 2.2). 

Definition 5. Let be a quasi- ordering and let )^q he an ordering. Then 
{'^Q,)^q) is a compatible ordering pair if 

— )^q is compatible with ^q, i.e., s' s )^qt ^g t' implies s' )^q t' . 

— >-q is well-founded. 

— >-q and ^g are stable under substitutions. 

Note that our notion of compatible ordering pair is similar to the notion 
of weak reduction pair given in [KNT99], but in our case we do not require 
monotonicity of ^g. 

These compatible ordering pairs can be defined using polynomial interpreta- 
tions or using standard term interpretations over some term ordering. Another 
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possibility is to combine (lexicographically) a precedence with (quasi-) orderings 
obtained by using interpretations. 

From a given compatible ordering pair we can build the SPO in a recursive 
way following a path ordering scheme. 

Definition 6. ( The SPO ). Let {'^Q,)~q) he a compatible ordering pair. 

Let s and t be terms in T{T,X). Then s = /(si...s„) )^spo t if and only if 

L Si '^spo t for some i € {l...n} or 

2. t = g(ti , . . . , tm), s )^qt and s )^spo ti for all i G {l...m} and 

3. t = g(tij . . . , tyn)? s t and {si, ..., spo |ti , . . . , tjji } 

where '^spo is )^spo U = and >^spo is the multiset extension of)^spo- 

The semantic path ordering is a well-founded ordering which is stable under 
substitutions. Unfortunately, it is, in general, not monotonic. 



3 The AC-Semantic Path Ordering 

In this section we will define an AC-compatible version of SPO, based on the 
definition of ACRPO. In this case, to be able to adapt the ACRPO scheme, we 
need to restrict the family of underlying orderings used inside SPO, to those using 
first a precedence and later (lexicographically) some quasi-ordering comparing 
the whole terms. Additionally, in order to ensure stability under substitutions 
we need to impose some extra conditions on this quasi-ordering. 

Definition 7. Let be a quasi- ordering and let )^q he an ordering. Then 
{'^Q,)~q) is an AC-compatible ordering pair if 

~ (hQ,'^q) is a compatible ordering pair. 

— >-q and >Q are AC -compatible. 

— >Q fulfils the AC-deletion property. 

In addition, we say that {'^Q,>q) is AC-monotonic if both and >-q are 
AC-monotonic. 

Finally we have two more conditions relating the precedence and ^q. 

(Rl) 'ig & T such that f g for some / G ipAC, 
g{xi, . . . ,Xn) hq Xi for all i=l...n 
(R2) /(si , . . . ,x, . . . ,s„) hg g{ti, ...,x,...,tm) implies 

/(si, ,s„) g{ti , . . . , j/, . . . ,fm) for all / 5 G Tac- 

Due to the unavoidable condition of being AC-compatible, all other condi- 
tions except (Rl) are easily satisfied. Condition (Rl) has an impact on those 
symbols that are smaller, in the precedence, than an AC-symbol. 

However, the allowed classes of quasi-orderings turn out to be powerful 
enough to obtain simple proofs of termination for the non-trivial examples given 
in the introduction. 
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Additionally, again due to the stability under substitutions, we need to lin- 
earize some variables when comparing two terms headed by equivalent AC- 
symbols. Condition (R2) above, relates to this linearization (note that the vari- 
able X may occur several times but we only replace one of them by y). 

Definition 8. Given two terms s = /(si,...,s„) and t = g{t\, . . . ,tm) such 
that f =j: g € Tac o.'nd a set of variables L, the linearization of s and t wrt. L 
is defined as 

{ lin{s' , t' , L) if ti = Sj G L where 

w is a fresh variable, s' = s[w]j, t' = t[w]i 
< s,t > otherwise 



Example 4 - Let / G Tac and h f g. Given s = f{h{x,y),g{z),z,y,z), 
t = f{g{x), z, X, y, z) and L = {z} we have that 

(s,t) = lin{s,t,L) = {f{h{x,y),g{z),Zi,y,Z2),f{g{x),Zi,x,y,Z2)). 

We now give the definition of the ACSPO. For simplicity reasons, here we 
have only considered total precedences, but like for ACRPO this condition can 
be removed. On the other hand, since we consider as U =j: instead of 
>-j: union syntactic equality then the fiat form t of t has to be defined as the 
normal form of t wrt. the rules 

f[xi . . .Xi_i, 5(2/1 . . .5fc),cci+i ...Xn)^ f(xi . ,.Xi-i,yi . ..yk,Xi+i . . .x„) 
for each / G Eac and 5 /• 

Definition 9. ( The ACSPO ). Let be a total well-founded precedence such 
that for all f,gGT, f =j: g implies that either f,gGT \ Tac or f,g G Tac, 
and let {'cQ,'cf) be an AC-monotonic and AC-compatible ordering pair, with 
fulfilling the above conditions (Rl) and (R 2 ). 

Let s, t be terms in T{T,X). Then s = /(si...s„) 'Cacspo t if and only if 

1 - Si hacspo t for some i G {l...n} or 

2 . f G Tac ond s' hacspo t for some s' G EmbSmall{s) or 

3 . t = g{ti...trn) and either f 'ey: 9 or (f =j: g and s ~Cqt), and s 'Caespo U for 
all i G {l...m}, or 

4 - I — 9(1 1 •'•I'm) , f — J- 9 ^ ^ AC , S t and {si , . .. , aespo , .. ., tm } Or 

5 . t = g{ti...tm), f =r 9 ^ Tac, s hqt, s y aespo t' for all t' G EmbSmalKf), 
NoSmallHead{s) c^aespo N oSmallH ead{f) and either 

(a) BigHead(s) >y aespo BigHeadff) or 

(b) #(s) > #(t) or 

(c) ff{s) y ff{t) and {si, ..., aespo , . . . , tm } 

where haespo is ^aespo U =ac, y^aespo is the AC-multiset extension of y aespo 
and < s,t >= lin{s,t, L^s,t>) where L<s,t> is the set of variables {s | 3 U = 
X G X and BigHead{s) ) 4 -aespo BigHeadff) U {x}} 
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The definition for NoSmallHead, BigHead and EmbSmall are given in 
Section 2. Note that linearization is only needed in case 5, when checking recur- 
sively the terms in EmbSmall. Remark that in this case, we have also required 
NoSmallHead(s) >^acspo N oSmallH ead{t) , which ensures that for any variable 
X occurring as argument of t such that BigEIead{s) )fi^acspo BigElead{t) U {a;} 
there are, at least, as many occurrences of x as argument of s than as argument 
of t. Hence, after linearization all occurrences of variables in L^a,t> that are 
arguments in t have been renamed. 

Theorem 2. ^acspo is a well-founded AC-compatible ordering which is stable 
under substitutions. 

4 The Monotonic AC-Semantic Path Ordering 

Now we will obtain a monotonic version by using the same technique as for the 
MSPO in [BFROO] but considering AC-reduction triplets of the form (^/, 

> ^ <?)■ 

Definition 10. A quasi- ordering is monotonic wrt. if s t implies 
/(. . . s . . .) ^g /(. . . t . . .) for every f € E. Note that if f £ Eac then we may 
need to apply some flattening. 

Then, (^/, ^g, )^q) is an AC-reduction triplet if {hQ, '^q) is an AC-monotonic 
AC-compatible ordering pair and is an AC-compatihle monotonic and stable 
under substitutions quasi- ordering and ^g is monotonic wrt. 

Definition 11. ( The ACMSPO ). Let he a precedence and (^/, ^g, yq) he 
an AC-reduction triplet, where ^g satisfies conditions (Rl) and (R2). 

S ^ acmspo t iff S t and S acspo t 

Note that must fulfil the same condition required in the definition of 
ACSPO. 

Theorem 3. i^acmspo is an AC-compatihle reduction ordering. 

This result implies that ACMSPO is a suitable method for proving AC- 
termination without the need of considering any extension rule, since by mono- 
tonicity they will be trivially included in ACMSPO. However, in order to use 
this method in practice we need to build actual adequate triplets (^/, >q, >q) 
fulfilling all requirements. 

In most of the cases it is enough to define >q (respectively ^q) as the applica- 
tion of (respectively ;^i) on terms after applying a renaming of the non-AC 
head symbols (as in the dependency pair method). Hence we have s ^g t iff 
N{s) N{t) (respectively s t iff N{s) N{t)) for some renaming mapping 
applied only at top positions for non-AC symbols. In this case, the monotonicity 
of ^g wrt. ^7 is implied by the monotonicity of 
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In all examples considered in this paper, even the renaming is not needed, 
and hence (^Q,)^q) and coincide. 

In this paper, the pair is defined by a polynomial interpretation 

/t as seen in Section 2.2. The pair can also be obtained by using 

standard term interpretations (with straightforward conditions to ensure AC- 
compatibility and the other properties) over an AC-compatible reduction order- 
ing on terms like ACRPO (in a similar way as done for the dependency pair 
method and MSPO). 

Furthermore, since (^Q,)^g) and coincide all conditions we have 

imposed on and should also be satisfied by and Hence, we have to 
check that is an AC-monotonic AC-compatible ordering pair and 

apart from monotonicity (which was already required), satisfies also R1 and R2. 

The next lemma provides sufficient conditions for a polynomial interpretation 
to satisfy all required properties. A polynomial interpretations I is said to be 
strictly positive if no symbol is interpreted to 0 in I. The interpretation of a 
symbol / is said to be fully argument dependent if /(/(xi, . . . ,Xn)) depends on 
all xi, . . . ,x„. 

Lemma 2. Let he a precedence and let I he a polynomial interpretation 
with non-negative integer coefficients. The pair is an AC-monotonic 

AC-compatihle ordering pair and is monotonic and satisfies R1 and R2 if 

— for all AC-symhol f we have that I{f{x, y)) = axy -\- b{x -\- y) -\- c with 

1. = b -\- ac and 

2. either I is strictly positive and a yf 0 or 5 yf 0. 

— for all symbol g s.t. f >-j^ g for some AC-symbol f we have that either 

1. I is strictly positive and the interpretation of g is fully argument depen- 
dent, or 

2. I{g{x \, . . . , Xn)) = P -h biXi -I- ... -I- bnXn where P is a polynomial and 
all yf 0. 



Similarly, we can impose some simple condition on term interpretations in 
order to satisfy all required properties. 



5 Examples 

In this section we will present several examples together with the ingredients, i.e., 
a precedence and a polynomial interpretation, required to show its termination 
by ACMSPO. For these examples, we have checked that all rules are included in 
ACMSPO (this is detailed in the Example 6) . In this section, we assume that the 
ingredients are provided by the user and, hence, we only need to check the rules 
following the definition of ACMSPO (as usually done for path orderings) . In the 
following section a way to automatically generate these ingredients is studied. 
Let us start with a very simple example. 
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Example 5. Both -|- and * are AC-symbols. 

X + 0 ^ X 

^ + •s(y) ^(a; -I- y) 

x * 0 — >■ 0 

X * s{y) X * y + X 

minus{x, 0) — >■ x 
minus{s{x) , s{y)) — >■ minus{x,y) 
quot{0, s{y)) — >■ 0 

quot{s{x), s{y)) — >■ s{quot{minus{x , y) , s{y))) 

This rules are included in ACMSPO taking as precedence quot minus 
* s and as = (hQ,'^q) the polynomial interpretation 

I{quot{x,y)) = X, I(minus(x,y)) = x, I(s(x)) = x + 1, /(O) = 1, 1{x + y) = x+y 
and I{x * y) = x*y + x + y. 

The following example comes with the complete proof showing that all rules 
are included in ACMSPO with the given ingredients (i.e., a precedence and a 
polynomial interpretation) . 

Example 6. Binary arithmetic (given in the introduction) . Let us recall the rules 
(-1- and * are the only AC-symbols). 

(#)0^# 

X -I- # — >■ X 

a; * # -!> # 

{x)0 + {y)0 {x + y)0 
{x)0 + {y)l {x + y)l 
(x)l -b {y)l {x + y + (#)1)0 

X * {y)0 — >■ (x * y)0 
X * {y)l — >■ X -b (x * y)0 

Take as precedence + '?-j: 1 '?-j: 0 >-j: # and as (^/, = (hg, the 

polynomial interpretation = 1, J((x)0) = x, J((x)l) = x-b2, 1{x+y) = x+y 
and I{x *y) = x*y + x + y. 

Now, we will show how the definition of ACMSPO is used for checking the 
rules. We have to check that all rules I — >■ r are included in ACMSPO, which, 
by definition, means that I +i r and I +acspo i". 
o First we prove I +i r for all / — >■ r G 7?.: 
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/((#)o) 


= 1 


> 


1 = 


im 




I{x 


+ #) 


= X 


+ 1 


> 


X = 


I{x) 




I{x * #) = 


X * 1 


+ X 


+ 1 


> 


1 = 


im 




/((x)0 + 


(j/)0) 


= X 


+ y 


> 


X + 


y = l{{x + y)0) 




/((x)0 + (y)l) = X 


+ y 


+ 2 


> 


X + 


y + 2 = I{{x + y)l) 




7((x)l + (j/)l) = 


X 2 


+ y 


+ 2 


> 


X + 


y+l + 2 = I{{x + y+mm 




I{x * (y)0) = 


X 


+ X 


+ y 


> 


X * ; 


y + X + y = I{{x * y)0) 


I{x * 


(y)l) = x*{y + 2) + x 


+ y 


+ 2 


> 


X + 


x*y + x + y = I{x + (x * y)0) 


Now 


we show 1 >-acspc 


, r for 


all / 


1 


r € 77.. 





(1) acspo ^ by case 1, 

(2) X ^ acspo ^ by case 1, 

(3) ^ ^ acspo ^ by case 1, 



(4) (a;)0 + (y)0 ^acspo (x + y)0 by case 3 : 

+ yyc 0 and (x)0 + (y)0 >~acspo x + y by applying case 2 twice since 
(a;)0 + y € EmbSmall{{x)0 + (y)0) and 
X + y € EmbSmall{{x)b + y) 

(5) (x)0 + (y)l y acspo (x + y)l by case 3 : 

+ yyc 1 and (x)0 + (y)l y acspo x + y by applying case 2 twice since 
(a;)0 + y € EmbSmall{{x)0 + (y)l) and 
X + y € EmbSmall{{x)Q + y) 

(6) (a;)l + (y)l >- acspo {x + y + (#)1)0 by case 3 : 

+ 0 and (x)l + (i/)l acspo x + y + {#)l by case 3: 

“t“ —jc -\- and 

/((x)l + (y)l) = x + 2 + y + 2>x + y + l + 2 = I{x + y + (#)1) and 
(a;)l + (?/)l acspo X by applying case 1 twice 
(a;)l + (y)l acspo y by applying case 1 twice 
(a;)l + {y)l > acspo (#)1 by case 3 : 

+ >-jc 1 and 

(a;)l + (y)l >- acspo # by case 3 since +>-jc ^ 

(7) X * {y)Q >acspo {x * y)0 by case 3: 

* 0 and 

X * {y)0 >~acspo X *yby case 2 since x * y € EmbSmall{x * (j/)0) 

(8) x*{y)l y acspo x + {x* y)0 by case 3 : 

+ and x*{y)l acspo x by case 1 
X* {y)l > acspo (x * y)0 by case 3 : 

* 0 and 

x * (y)l )^acspo X *y by case 2 since x *y € EmbSmall{x * (y)l) 

We come back to the second example of the introduction. Here we only 
provide the ingredients for the proof. Note that the polynomial interpretation 
we are using is very simple, which shows that the use of a precedence first is 
crucial. 
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Example 7. Ternary integral arithmetic (given in the introduction in Exam- 
ple 2). 

It is proved included in )^acmspo as follows : take as precedence * 

+ opp 1 =j: j > Q > # and as (^/, )^i) = {'^Q,)~q) the polynomial 
interpretation /(#) = 0, I{opp{x)) = x, /((a;)0) = x, 7((x)l) = I{{x)j) = x+1, 
I{x — y) = I{x + y) = X + y and I(x * y) = x*y + x + y. 



6 Constraints 



Proving termination with ACMSPO can be translated into a constraint solving 
problem in the same way as it is done for MSPO in [BFROO] and implemented 
in a fully automated system called Termptation [BR02]. The idea is to extract a 
set of constraints from the application of the definition of ACMSPO to the set of 
rules. Hence, if we can solve the constraints then there is a proof of termination 
of the given TRS using ACMSPO. 

First, we obtain set of constraints on from the first condition of the defi- 
nition of ACMSPO applied to all rules. Then, we have to automatically generate 
a precedence to be used in the application of ACSPO. Note that, although the- 
oretically there are exponentially many possibilities, in practice it can be done 
efficiently (like for the non- AC case). After that, we obtain constraints on 
and by applying the definition of ACSPO. For instance, for the Example 6, 
after guessing the precedence * >-j7 + 1 0 ^ and assuming, for 

simplicity reasons, that (resp. and (resp. coincide, we have the 
following constraints. 

The first set is coming from the first condition of the definition of ACMSPO: 



(#) 0 ^/# 
x + #hi X 



(x)O-b (y)0 hi {x + y)0 
(x)O-b (y)l hi {x + y)l 
(x)l -b {y)l hi (x + y+ (#)1)0 



X * (y)0 hi {x * y)0 
X * (y)l hi X + {x * y)0 



The second set is coming from the recursive application of the definition of 
ACSPO, by adding all conditions on hi and >~i (in fact, on hg and yg) that 
we find in the chosen path of the definition of ACSPO (we have taken the 
same path as in the proof given in the example). In this example, since most 
of the comparisons are solved by subterm (case 1), AC-embedding (case 2) or 
precedence (case 3), we have only one constraint in this second set: 



(a;)l-b (y)l yi x + y+ (#)1 



These constraints can be handled and solved by finding an appropriate polyno- 
mial interpretation (as done, for instance, in CiME system [CMMUOO]). We are 
currently working on the implementation of this method inside the Termptation 
system. 
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7 Further Work and Conclusions 

The ACMSPO is the first general method not being a simplification ordering that 
can prove AC-termination automatically without considering extended rules. 
This allows us to prove in a simple way several non-trivial examples of the lit- 
erature. All alternative automatable methods we know of, based on dependency 
pair, require the addition of extended rules. 

In order to ensure monotonicity and stability under substitutions we have 
needed to impose some additional conditions on the underlying orderings used in 
ACSPO. These conditions can be relaxed by adding more checking in the ACSPO 
and some more linearizations, which restrict the application of the method. This 
trade off between the conditions imposed on the underlying orderings and the 
conditions required in the checking of ACSPO have to be further analyzed. 

Another nice property of our method is that we strongly believe that it can 
be easily combined with methods based on extended rules. In fact, we can obtain 
a much simpler AC-compatible version of SPO, called EACSPO, which needs to 
consider extended rules. In this case, we only need to flatten terms and require 
the underlying quasi-ordering to be AC-compatible. The resulting method is 
very similar to the existing AC- versions of the dependency pair method. 

We are currently working on the combination of both AC-extensions of SPO, 
namely ACSPO and EACSPO, with the aim of obtaining a method such that 
for every AC-symbol we can choose whether we add the extended rules or not. 
Then an AC-symbol is treated like in the ACSPO if it has no extended rules 
included, otherwise is treated like in EACSPO, which is almost like the other 
symbols. In this way we can get the best of both methods. 
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Abstract. In this article we introduce the notion of a generalized sys- 
tem of fundamental sequences and we define its associated slow-growing 
hierarchy. We claim that these concepts are genuinely related to the clas- 
sification of the complexity — the derivation length — of rewrite systems 
for which termination is provable by a standard termination ordering. 
To substantiate this claim, we re-obtain multiple recursive bounds on the 
the derivation length for rewrite systems terminating under lexicographic 
path ordering, originally established by the second author. 



1 Introduction 

To show termination of a rewrite system R one usually shows that the induced 
reduction relation is contained in some abstract ordering known to be well- 
founded. One way to assess the strength of such a termination ordering is to 
calculate its order type, cf. [7]. There appears to be a subtle relationship be- 
tween these order types and the complexity of the rewrite system R considered. 
Cichon [5] discussed (and investigated) whether the complexity of a rewrite sys- 
tem for which termination is provable using a termination ordering of order type 
a is eventually dominated by a function from the slow-growing hierarchy along 
a. It turned out that this principle — henceforth referred to as (CP) — is valid 
for the (i) multiset path ordering ()^mpo) and the (ii) lexicographic path ordering 
(^ LPo)- 

More precisely, Hofbauer [9] proved that )^mpo as termination ordering implies 
primitive recursive derivation length, while the second author showed that )^lpo 
as termination ordering implies multiply-recursive derivation length [17]. If one 
regards the order types of )^mpo and )^lpo, respectively, then these results imply 
the correctness of (CP) for (i) and (ii). Buchholz [3] has given an alternative proof 
of (CP) for (i) and (ii). His proof avoids the (sometimes lengthy) calculations 
with functions from subrecursive hierarchies in [9,17]. Instead a clever application 
of proof-theoretic results is used. Although this proof is of striking beauty, one 
might miss the link to term rewriting theory that is provided in [9,17]. 
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The mentioned proofs [9,17,3] of (CP) — with respect to (i) and (ii) — are 
indirect. I.e. without direct reference to the slow-growing hierarchy. By now, we 
know from the work of Touzet [16] and Lepper [10,11] that (CP) fails to hold 
in general. However, our interest in (CP) is motivated by our strong belief that 
there exist reliable ties between proof theory and term rewriting theory. Ties 
which become particularly apparent if one studies those termination orderings 
for which (CP) holds. 

To articulate this belief we give yet another direct proof of (CP) (with respect 
to (i) and (ii)). To this avail we introduce the notion of a generalized system 
of fundamental sequences and we define its associated slow-growing hierarchy. 
These concepts are genuinely related to classifying derivation lengths for rewrite 
systems for which termination is proved by a standard termination ordering. To 
emphasize this let us present the general outline of the proof method. 

Let terms s = tQ,t\, . . . ,tnhe given, such that s t\ ■ ■ ■ -^r holds, 
where is in normal form and term-depth of s (t(s)) is < to. Assume -^r is 
contained in a termination ordering )^. Hence s >- t\ )^ ■ ■ ■ )^ tn holds. Assume 
further the sequence (s,ti, . . . ,t„) is chosen so that n is maximal. Then in the 
realm of classifications of derivation lengths one usually defines an interpretation 
X\ T{S,V) — >■ IN such that I(s) > T{t\) > ••• > I(t„) holds. (T(A’, V) denotes 
the term algebra over the signature S and the set of variables V.) The existence 
of such an interpretation then directly yields a bound on the derivation length. 

The problem with this approach is to guess the right interpretation from the 
beginning. More often than not this is not at all obvious. Therefore we want 
to generate the interpretation function directly from the termination ordering 
in an intrinsic way. To this avail we proceed as follows. We separate X into an 
ordinal interpretation tt: T{S) — >■ T and an ordinal theoretic function g: T ^ 
IN. (r denotes a suitable chosen set of terms representing an initial segment 
of the ordinals, cf. Definition 2.) This works smoothly. Firstly, we can employ 
the connection between the termination ordering and the ordering on the 
notation system T. This connection was already observed by Dershowitz and 
Okada, cf. [7] . Secondly, it turns out that g can be defined in terms of the slow- 
growing function Gx- T — >■ IN; a; G IN. (Note that we have swapped the usual 
denotation of arguments, see Definition 4 and Definition 9.) 

To simplify the presentation we restrict our attention to a rewrite system 
R whose termination can be shown by a lexicographic path ordering )^lpo- It 
will become apparent later that the proof presented below is (relative) easily 
adaptable to the case where the rewrite relation -^r is contained in a multiset 
path ordering )^mpo- We assume the signature S contains at least one constant c. 

Let i? be a rewrite system over T{S,V) such that -^r is contained in a 
lexicographic path ordering. Let terms s = to,ti,...,t„ be given, such that 
s ~^R t\ ~^R ■ ■ ■ ~^R tn holds, where is in normal form and r(s) < to. By our 
choice of R this implies 

s )^LPO ^LPO ■ ■ ■ ^LPO tn (1) 

We define a ground substitution p: p{x) = c, for all x G V. Let > denote a suitable 
defined (well-founded) ordering relation on the ordinal notation system T. Let 
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l,r G 'T{E,V). Depending on m and properties of R, we show the existence of 
a natural number h such that I )^lpo f implies Tr{lp) > 7r(rp) and Gh{Tr{lp)) > 
Gh{Tr{rp)), respectively. Employing this form of an Interpretation Theorem we 
conclude from (1) for some a GT 

a > 7r(sp) > n{tip) > • • • > Tr{tnp) ■ 



and consequently 

Gh{a) > Gh{TT{sp)) > Gh{TT{tip)) > ■ ■ ■ > Gh{Tr{tnP)) ■ 

Thus Gh{ce) calculates an upper bound for n. Therefore the complexity of R can 
be measured in terms of the slow-growing hierarchy along the order type of T. 

To see that this method calculates an optimal bound, it remains to relate the 
function Gx : T — >■ IN to the multiply-recursive functions. We employ Girard’s 
Hierarchy Comparison Theorem [8]. Due to (a variant) of this theorem any 
multiple-recursive function can be majorized by functions from the slow-growing 
hierarchy and vice versa. ^ (For further details see Section 4.) 

Contrary to the original proof in[17], we can thus circumvent technical cal- 
culations with the E-hierarchy (the fast-growing hierarchy) and can shed light 
on the way the slow-growing hierarchy relates the order type of the termination 
ordering to the bound on the length of reduction sequences along —>■/{. 

2 The Lexicographic Path Ordering 

We assume familiarity with the basic concepts of term rewriting. However, we 
fix some notations. Let E = {/i, . . . , fx} denote a finite signature such that any 
function symbol f G E has a unique arity, denoted as ar(/). The cardinality K 
is assumed to be fixed in the sequel. To avoid trivialities we demand that E is 
non-empty and contains at least one constant, i.e. a function symbol of arity 0. 
We set N := max{ar(/): / G E}. 

The set of terms over E and the countably infinite set of variables V is denoted 
as T{E, V). We will use the meta-symbols I, r, s,t,u, . . . to denote terms. The set 
of variables occurring in a term t is denoted as var(t). A term t is called ground 
or closed if var(t) = 0. The set of ground terms over E is denoted as T{E). If 
no confusion can arise, the reference to the signature E and the set of variables 
V is dropped. With r(s) we denote the term depth of s, defined as t(s) := 0, if 
s G V or s G E and otherwise r(/(si, . . . , Sm)) ■= max{r(si) : 1 < i < m} 1. 
A substitution cr: V — >■ T is a mapping from the set of variables to the set of 
terms. The application of a substitution cr to a term t is (usually) written as ta 
instead of <T(t). 

A term rewriting system (or rewrite system) R over T is a finite set of rewrite 
rules (l,r). The rewrite relation on T is the least binary relation on T 

^ A fc-ary function g is said to be majorized by a unary function / if there ex- 
ists a number n < ui such that g(xi, . . . ,Xk) < f{ma.x{xi,...,Xk}), whenever 
max{a:i, . . . , Xk} > n. 
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containing R such that (i) if s t and cr a substitution, then scr — to 
holds, and (ii) if s t, then /(..., s, .. .) /(..., t, .. .). A rewrite system 

R is terminating if there is no infinite sequence {U: i € IN) of terms such that 

ti ~^R t 2 ~^R ■ ■ ■ ~^R tm ~^R ■ ■ ■ ■ Let denote a total order on S such that 
fj >~ fi ^ j > i for € {1, . . . ,K}. The lexicographic path ordering )^lpo on 
T (induced by )^) is defined as follows, cf. [1]. 

Definition 1. s )^lpo t iff 

1. t € var(s) and s ^ t, or 

2. s = . . .,Sjn), t = ff{ti, . . .,tn), and 

— there exists k (1 < k < m) with Sk ^lpo or 

— j > i and s )^lpo ti for all I = 1, . . . ,n, or 

— i = j and s )^lpo ti for all I = 1, . . . ,n, and there exists an io (1 < io ^ 

m) such that ti, ■ • • and s^q lpo iio' 

Proposition 1. (Kamin-Levy). 

1. If s ;^LPo t, then var(t) C var(s). 

2. For any total order -< on E, the induced lexicographic order )^lpo is a sim- 
plification order on T- 

3. If R is a rewrite system such that -^r is contained in a lexicographic path 
ordering, then R is terminating. 

Proof. Folklore. 



3 Ordinal Terms and the Lexicographic Path Ordering 

Let N be defined as in the previous section. In this section we define a set of terms 
T (and a subset P C T) together with a well-ordering < on T. The elements of 
T are built from 0, -I- and the {N -\- l)-ary function symbol xp. It is important to 
note that the elements of T are terms not ordinals. Although these terms can 
serve as representations of an initial segment of the set of ordinals On, we will 
not make any use of this interpretation. In particular the reader not familiar 
with proof theory should have no difficulties to understand the definitions and 
propositions of this section. However some basic amount of understanding in 
proof theory may be useful to grasp the origin and meaning of the presented 
concepts, cf. [7,11,15]. For the reader familiar with proof theory: Note that P 
corresponds to the set of additive principal numbers in T, while xp represents the 
(set-theoretical) fixed-point free Veblen function, cf. [15,11]. 

Definition 2. Recursive definition of a set T of ordinal terms, a subset P C T, 
and a binary relation > on T. 

1. 0 G T. 

2. If ai, ... , am G P and oi > • • • > am, then a\-\- ■ ■ ■ am G T. 

3. If ai , . . . , oat+i G T, then xp{ai , . . . , OAr+i) G P and xp{ai , . . . , oat+i) G T. 
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4- a ^ 0 implies a > 0. 

5. a > /3i, . . . , Pm and a € P implies a > Pi + ■ ■ ■ + Pm ■ 

6. Let a = «! + • • • + am, P = Pi + ■■■ + Pn- Then a > P iff 

— m > n, and for all i G {1, . . . , n}^ CTj = Pi, or 

— there exists i (i € {1, , m} ) such that = Pi , = Pi-i, and 
ai ^ Pi . 

1. Let a = p{ai ,. . . ,aAr+i), P = ipiPi, . . .,Pn+i)- Then a > P iff 

— there exists k (1 < k < N + 1) with Uk > P, or 

— a > Pi for all I = 1, . . . , N + 1 and there exists an io (1 < io < N + 1) 
such that a I = Pi, . . . ai^—i = /?^q— i and > Pi,^ . 

We use lower-case Greek letters to denote the elements of T. Furthermore we 
formally define a-|-0 = 0-|-a = a for all a € T. 

We sometimes abbreviate sequences of (ordinal) terms like , . . . , by a. 
Hence, instead of ip^ai, . . . , oat-i-i) we may write ip(a). To relate the elements of 
T to more expressive ordinal notations, we define 1 := V’(0)> ^ •= 1)? 

Co := V'(O) 1) 0)- Let Lim be the set of elements in T which are neither 0 nor of 
the form a+ 1. Elements of Lim are called limit ordinal terms. 

Proposition 2. Let {T, <) he defined as above. Then (T, <) is a well-ordering. 

Proof. Let |a| denote the number of symbols in the ordinal term a. Exploiting 
induction on |a| one easily verifies that the ordering (T,<) is well-defined. To 
show well-foundedness one uses induction on the lexicographic path ordering 
Alpo) exploiting the close connection between Definition 1.2 in Section 2 and 
Definition 2.7 above. □ 

In the following proposition we want to relate the order type of the well- 
ordering (T,<) and the well-partial ordering Alpo- Concerning the latter it is 
best to momentarily restrict our attention to the well-ordering (T(T'), ^lpo)- We 
indicate the arity of the function symbol p employed in Definition 2. We write 
{T{N 1), <) instead of (T, <). Similarly we write {T{S{N)), ^lpo) to indicate 
the maximal arity of function symbols in the finite signature S. Let Oaoj(0) 
denote the small Veblen ordinal [15] and let otyp(M) denote the order type of 
a well-odering M. 

Proposition 3. 1. For any number k, there exists an order isomorphic em- 

bedding from (T(27(fc)), Appo) 'into {T{k -\- 1), <). 

2. For any number k > 2, there exists an order isomorphic embedding from 

{T{k),<) into (T(T'(A:)), Alpo)- _ 

3- snpk<u,{otyp{{T{k),<))) = supfc<„(ofyp((r(T'(fc)), ^lpo))) = 0f2^(O). 

Proof. The first two assertions are a consequence of the well-ordering proof of 
(T, <). We only comment on the stated lower bound in the second one. The 
statement fails for (T(2),<) and (T(T’(2)), ^lpo). The presence of the binary 
function symbol -I- in T{2) can make the ordering < more expressive than Appo- 
This difference vanishes for k>3. The third assertion follows from [14]. □ 
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4 Fundamental Sequences and Sub-recnrsive Hierarchies 



To each ordinal term a G T we assign a canonical sequence of ordinal terms 
{a[x \ : X G IN), the fundamental sequence. The concept of fundamental sequences 
is a crucial one in (ordinal) proof theory. The main idea of utilizing fundamental 
sequences in term rewriting, is that the descent along the branches of such a se- 
quence can, informally speaking, code rewriting steps. We have to wade through 
some technical definitions. 

We define the set 18^(7), the set of interesting subterms of 7 (relative to a) 

by induction on 7. We set ISq(O) := 0 , ISq(7i H h jm) ■= Uti ISa(7i)) and 

finally 






{V'( 7 )} if (71, ■ • ■ , in) >lex (ai, ■ • ■ , aw) 

ISa(7i) otherwise. 



The (relative to a) maximal interesting subterm MSa(7i, . . . ,7„) of a non- 
empty sequence (71, . . . ,7„) is defined as the maximum of the terms occurring 
in ISa(7i)- Let >lex denote the lexicographic ordering on sequences of ordinal 
terms induced by >. Let a = a\, . . . , un G T and j 3 GT. Then set 



Fix(a) := {f/'(7, b) : 7 >lex a and S) > ai for alH = 1 , . . . , N} . 

For a unary function symbol / we define the n**' iteration /" inductively as 
(i) f^{x) := X, and (ii) f"‘'^^{x) := /(/”(a;)). We will make use of this notation 
for functions of higher arity by assuming that all but one argument remain fixed. 
We use • to indicate the free position. In the sequel A (possibly extended by a 
subscript) will always denote a limit ordinal term. 

Definition 3. Recursive definition of a[x] for x < to. 



0[x] 

(oi -!-••• + ajn)[x] 

i^{0)[x] 
tj:{0,P+ l)[a;] 
A) [a:] 
fj(0, A)[a;] 
-I- 1,0, 0)[a;] 
V'(ai, . . . , Oi -I- 1,0,/? -I- l)[a;] 
V'(ai, . . . , Oi -I- 1, 0, A)[a;] 
V'(ai,...,ai + 1,0, A)[a;] 
■i/'(ai,...,Ai,0, 0)[a;] 



0 

ai + • • • + ocm[x] m > 1, Qfi > • • • > 



V’(0,/?) • {x 
V’(0, A[x]) 

A • (a; -|- 1) 

V’(ai, . 



1 ) 

A ^ Fix(O) 

A G Fix(O) 

.,a.,-,0)"+i(0) 

0 ) "=+^(■0(01, 
.,ai + 1,0, A[a;]) 
.,a„-,0)"+i(A) 



■ • , Cl!i + 1, 0, /?)) 

A ^ Fix(a, 0) 

A G Fix(a,0) 



. , A*[a;],0,MSg ;^._o(a, A*)) 



0>(ai,...,Aj,O,/?-k l)[a;] 
0>(ai,...,Aj,O, A)[a;] 
0>(ai,...,Aj,O, A)[a;] 



0(ai, • 
0(ai, • 
0(ai, • 



. , Aj[x], 0, '0 (q;i, . . . , A^, 0, /?)) 

. ,Aj,0, A[x]) A^Fix(a,0) 

. ,Ai[x],0, A) AgFix(o, 0) 
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The above definition is given in such a way as to simplify the comparison 
between the fundamental sequences for T and the fundamental sequences for the 
set of ordinal terms T(2) (built from 0, +, and a 2-ary function symbol i/') as 
presented in [18]. Note that our definition is equivalent to the more compact one 
presented in [11]. The following proposition is stated without proof. A proof (for 
a slightly different assignment of fundamental sequences) can be found in [4]. 

Proposition 4. Let a € T he given; assume x < uj. If a > Q, then a > a[x\. 
For a > 1 we get a[x] > 0, and if a € Lim, then a[x -I- 1] > a[x\. Finally, if 
/3 < a € Lim, then there exists x < uj, such that (3 < a[x] holds. 

In the definition of ■i/'(ai, . . . , Aj, 0, 0)[a;] we introduce at the last position 
of if the term MS^q(o). We cannot simply dispense of this term. To see this, 
we alter the definition of the crucial case. We momentarily consider only 3-ary 
Vj-functions; we set Fq := i/'(l,0,0) and calculate i/>(0 , /q) 0)[a^]: 

ifiO,Fo,0)[x] = iP{0,if{l,0,0)[x],0) 

= iP{0,if{0,;0r+\0),0) 

= i/>(0,-,0)"+2(0) 

<^’(1,0,0) . 

Hence for every x < uj] ■i/'(0 , /o> 0)[a^] < .^o holds. This contradicts the last 
assertion of the proposition as Fq < if{0,Fo,0). As a side-remark we want to 
mention that the given assignment of fundamental sequences even fulfills the 
Bachmann property, see [2] . Utilizing Definition 3 we are now in the position to 
define sub-recursive hierarchies of ordinal functions. 

Definition 4. (The slow-growing hierarchy). Recursive definition of the func- 
tion Ga : UJ ^ UJ for a € T. 

Go(x) := 0 

Ga-t-l(x) := Ga(x) -i- 1 
Ga(x) := GA[a;](a;) • 

Definition 5. (The fast- growing hierarchy.) Recursive definition of the function 
Fa'. UJ ^ UJ for a G T. 

Fo{x) := X -I- 1 
Fa+i{x) :=F^+\x) 

F\{x) := Fx[a;]ix) . 

It is easy to see that Ga{x) < Fa{x) for all a > 0. To see that the name of 
the hierarchy {Ga ■ a € T} is appropriate, it suffices to calculate some examples. 
Take e.g. Gu^: Guj(x) = G^(q).(„,+i)(x) = Ga,+i(x) = Ga,(x) -k 1 = x -k 1. 

Recall that a function / is elementary (in a function g) if / is definable 
explicitely from 0, 1, -k, — (and g), using bounded sum and product. E{g) 
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denotes the class of all such functions /. Then majorizes the elementary 
functions E. In contrast the function Fi^ already majorizes the primitive recursive 
functions, i.e. its growth rate is comparable to the (binary) Ackermann function. 
Furthermore the class of multiple recursive functions can be characterized by the 
hierarchy {E{Fj): 7 < cf. [12,13]. 

However, the following theorem states a (surprising) connection between the 
slow- and fast-growing hierarchy. See e.g. [8,6,18] for further reading on the 
Hierarchy Comparison Theorem. 

Theorem 1. (The Hierarchy Comparison Theorem.) 

lJi?(Ga)= U E{F^) . 

a^T 7<o;-^+i 

Proof. We do not give a detailed proof, but only state the main idea. In [18] the 
hierarchy comparison theorem has been established for the set of ordinal terms 
T(2) (built from 0, -I-, and the function symbol i), where ar( 7 />) = 2). To extend 
the result to T it suffices to follow the pattern of the proof in [18]. 

The difficult direction is to show that every function in the hierarchy 
{F^: 7 < is majorized by some Gq. To show this one in particular needs 

to extend the proofs of Lemma 5 and Theorem 1 in [18] adequately. The reversed 
direction follows by standard techniques, cf. [ 6 ]. □ 

5 The Interpretation Theorem 

For all a G T there are uniquely determined ordinal terms a± > ■ ■ ■ > am G 
P such that a = oi -I- • • • -I- am holds. In addition, for every a G P there 
exist unique «i, . . . , oat-i-i such that a = . . . , oat-i-i). (This normal form 

property is trivial by definition.) Now assume a, /3 £ T with a = 71 -I- • — h 7mo> 
P = 7mo-i-i + ’ ■ ‘+lm. Then the natural sum affP is defined as 7 p(i) + - • • + 7 p(m)) 
where p denotes a permutation on { 1 , ... , m} such that 7 p(i) > • • • > 7 p(m) holds. 

Let R denote a finite rewrite system whose induced rewrite relation is con- 
tained in )^LPo- 

Definition 6. Recursive definition of the interpretation functiomr : T{F) T. 
Let N denote the maximal arity of a function symbol in F. If s = fj G F, then 
set tt{s) := Otherwise, let s = fj{s\, . . . , Sm) and set 

7t(s) :=7/>(j,7r(si),...,7r(sm)-kl,0) . 

In the sequel of this section we show that tt defines an interpretation for R 
on (T, <); i.e. we establish the following theorem. 

Theorem 2. For all s,t £ T{F) we have s t implies 7t(s) > 7r(t). 

Unfortunately this is not strong enough. The problem being that a > 
implies that Gq, majorizes Gp, only. Whereas to proceed with our general 
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program — see Section 1 — we need an interpretation theorem for a binary re- 
lation on T, such that a y P ^ Ga{x) > Gp{x) holds for all x. We introduce 
a notion of a generalized system of fundamental sequences. Based on this gen- 
eralized notion, it is then possible to define a suitable ordering 

Definition 7. (Generalized system of fundamental sequences for {T,<).) Re- 
cursive definition of (aY for x < oj. 

1. (0)"^ := 0 

2. Assume a = -I- • • • -I- am,' rn > 1. Then /3 € (a)^ if either 

— P = ■ ■ ■ a* ■ ■ ■ ffctm and a* G (aiY holds, or 

- P = ai. 

3. Assume a = 4>(a)- Then P G (a)® if 

- P = '!/'(«!) • • • ) ce*, ■ . ■ , aN+i), and a* G {ap^ , or 
— P = ai X, where a^ > 0, or 

- P = Y{a)[x\. 

By recursion we define the transitive closure of the ownership (aY 9 P- 
{a >(a;) P) GG (dy G {aY{l >(x) P J = P))- Let a,/3 G T. It is easy to verify 
that a >(^x) P (for some x < u) implies a > p. li no confusion can arise we write 
a^ instead of {aY ■ 

Lemma 1. (Subterm Property) Let x < ui be arbitrary. 

1. a ^(x) hff • • • Of • • • 

2. a <(2,) ■0(7i,---,a,---,7Af+i)- 

Proof. The first assertion is trivial. The second assertion follows by the definition 
of <(a;) and assertion 1. □ 

Lemma 2. (Monotonicity Property) Let x < to be arbitrary. 

1- If a >(^x) P, then -fiY'"a---Y-fm >(x) li#'"P"'#lm- 

2. Lfa >(a;) P, then ^(71 , . ,7tv+i) >{x) Y{li, ■■ ■,/?,■ ■ . ,7 at+i). 

Proof. We employ induction on a to prove 1). We write (ih) for induction hy- 
pothesis. We may assume that a > 0. By definition of a >(3,) P we either have 
(i) that there exist 6 £ a^ and 6 >(3,) P or (ii) P £ a^. Firstly, one considers 
the latter case. Then (71# • • • /? • • • fflm) £ (71# ■ ■ ■ a - ■ ■ ff^mY holds by Def- 
inition 7. Therefore (71# • • • /3 • • • #7™) <(x) (71# • • • a • • • #7m) follows. Now, 
we consider the first case. By assumption <5 >(3,) P holds, by (ih) this implies 
(71 #... 5 ... #7^) >(„,) ■ " P " ■ YlmY ■ Now (7 i#---a---# 7„) >(,„) 

(71# ■ ■ ■ ^ ■ #7m) follows by definition of >{x), if we replace /? by d in the 

proof of the second case. This completely proves 1). 

To prove 2) we proceed by induction on a. By definition of a >{x) P we have 
either (i) 6 £ a^ and 5 >(^x) P or (ii) P £ a^ .It is sufficient to consider the latter 
case, the first case follows from the second as above. By Definition 7, P £ a^ 
implies p{'yi, . . . , P, . . . ,jn+i) £ . . . ,a, . . . ,jn+iY- LI 
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In the sequel we show the existence of a natural number e, such that for 
all s,t € T, and any ground substitution p, s t implies 7r(sp) >(e) T:{tp). 
Theorem 2 follows then as a corollary. The proof is involved, and makes use of 
a sequence of lemmas. 

Lemma 3. Assume a, ^ G Lim; x > 1. If a >(a,) /3, then a >(2,+i) /3 + 1 holds. 

To prove the lemma we exploit the following auxiliary lemma. 

Lemma 4. We assume the assumptions and notation of Lemma 3; assume 
Lemma 3 holds for all 7,(5 G Lim with ^,5 < a. Then a >(a,+i) oi[x + 1] 
a[x\ + 1. 

Proof. The lemma follows by induction on the form of a by analyzing all cases 
of Definition 3. □ 

Proof, (of Lemma 3) The proof proceeds by induction on the form of a. We 
consider only the case where a = ip^ai, . . . ,aAr+i). The case where a = «i -I- 
• • • + Oim is similar but simpler. 

By definition of a >(x) P we have either (i) 7 G and 7 >(3,) /? or (ii) 
(3 G . Assume for j G we have already shown that 7 -I- 1 <(a;-i-i) ct. Then for 
P <(x) 7) we conclude by (ih) and the Subterm Property P +1 <(a;+i) 7 <(a;-i-i) 
7 -I- 1 <(a;+i) a. Hence, it suffices to consider the second case. We proceed by 
case distinction on the form of p. 

Case [3 = . . . ,a*, . . . ,aM+i) where a* G for some i (1 < i < 

N + 1). Note that at < a, hence (ih) is applicable to establish a* + 1 <(a;-i-i) ch- 
Furthermore by the Subterm Property follows a* a* + l and therefore 

. . . , a *, . . . , oat+i) <(a:-i-i) V'(«i : . ■ . , C(* + 1, . . . , oat+i) holds with Mono- 
tonicity. Applying (ih) with respect to tp{ai, . . . ,a* -I- 1, ... , oa(-i-i) we obtain 

p^ai, . . . ,a* , . . . , ttAf-i-i) + 1 <(£c-i-i) Picti, . . . ,a* -I- 1 , ... , oat-i-i) 

^(a:-t-l) ■ ■ ■ 7 (^2 j • ■ • 2 (^A-t-l) IK 

The last inequality follows again by an application of the Monotonicity Property. 
Case f3 = ai + x: Then {at -I- x) -I- 1 = -I- (x -I- 1) <(a;+i) a. 

Case /3 = if{a)[x]. Clearly (3 G Lim. Then the auxiliary lemma becomes 
applicable. Thus xf{a)[x] + 1 <(a;-i-i) <k[x -I- 1] <(a;-i-i) ce. □ 

Lemma 5. Let t G T(A) be given. Assume r{t) < d, and fj G E. If fj )^lpo L 
then Tr{fj) >(2d) '^{Pi- 

Proof. We proceed by induction on r(t). In the presentation of the argument, 
we will frequently employ the Subterm and the Monotonicity Property without 
further notice. Set a := 7r(/j), and P := 7r(t). Furthermore it is a crucial ob- 
servation that 0 <(x) 01 holds for any x < u>, a G T. (This follows by a simple 
induction on o;.) 

Case r(t) = 0: Then by assumption t = fi G S, i < j. Hence i <( 2 d) j holds 
and we conclude 7r(t) = 'tp{i,0) <(2d) ^(j)0) = ^{fj)- 
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Case T{t) > 0: Let t = , t„). Set [3i := 7r(t;) for alH = 1, . . . , n. By 

(ih) one obtains f3i <( 2 {d-i)) ct for all 1. For all I, we need only consider the case 
where j3i G We consider 0)[2d] and apply the following sequence of 

descents via >( 2 d)' 

^(j,0)[2d] = 

>(2d) V’O’ - i,^(i - i,-,o)2'^-i(o) + 1,0) 

>[2d) i’U - - i,-,o)"^-^(o) ,-,o)"^+^(o) . 

y-G,o)[ 2 (d-i)] 

We define 7 i := V'O', 0)[2(d-l)] and y^+i := . . . ,7fe+l,0)[2(d-l)]. 

By iteration of the above descent, we see 

a [2d] = ■00)0) [2d] 

>(2d) 00 - l,7i, ■ • • + 1,0) 

>(2d) 00 - l,a[2(d- 1)],. .. ,a[2(d- 1)] + 1,0) (d) . 

Let ^ (1 < Z < n) be fixed. By assumption we have Pi G We proceed 

by case distinction on the definition of Pi. 

Assume Pi = 00) 0)[2(d— 1)]. Then S = 00 — 1, cr[2(d— 1 )], . . . , Pi, . . . , a[2(d— 
1)] + 1,0). Assume Pi = 00*, 0), where j*_e i-6- j* <{ 2 d) J - 1 <( 2 d) j- 

Therefore o;[2(d — 1)] >{ 2 d) 00 ~ 1,0)- Hence S >( 2 d) 00 ~ l,Q![2(d — 
1)], . . . , /3p . . . , a[2(d — 1)] + 1,0). Finally assume Pi = j + 2(d — 1). Then 
Pi <( 2 (d-i)+i) 00 - 1,0) <( 2 (d-i)+i) 00 - l,-,0)2‘^"00) = a[2(d- 1)]. Hence 
Pi <( 2 d) cr[2(d — 1)] by Lemma 3 and therefore 6 >( 2 d) 00 ~ l,a[2(d — 
l)],...,A,...,a[2(d-l)] + l,0). 

As I was fixed but arbitrary, the above construction is valid for all 1. And the 
lemma follows. □ 

Lemma 6. Let fpti, . . . ,tn), . . . ,Sm) & T{S) he given; let d > Q . Then 

1. If i < j, 7r(/j(s)) >( 2 (d-i)) 7!‘(0) for all I = Then 7r(/,(s)) >; 2 d) 

Tr{fi{t)) holds. 

If Si = ti, . . . , Sig—i =tig—i, 7r(sig) >( 2 (d— 1 )) '^(Oo), and Tr(^fj(^s)) >( 2 (d— i)) 
7r(b), for all I = io + I, . . . ,n, then Tr{fj(s)) >(2d) ^^if^(t)) holds. 

Proof. The proof of assertion 1) is similar to the proof of assertion 2) but simpler. 
Hence, we concentrate on 2). Set a := 7r(/j(s)); P := Tr{fi{t)); finally set at := 
7r(si) for all t = 1, . . . , m, and Pi := irft : i) for all t = 1, . . . , n. As above, we 
consider only the case where Pi G The other case follows easily. 

a[2d] = ■0O)«i, • ■ • ,«m + l,0)[2d] 

= 00) «i, • ■ • ,am,00)ai, ■ • ■ ,am,-,0)^‘'(0),0) 

^ (2d) 0(j) ^1, ■ • ■ , ^m, 0(j) ^1, ■ • ■ , *, 0) (0) T 1, 0) 

= 00)“1, • ■ • ,«™,00)«1, ■ • ■ + l,0)[2(d- 1)] +1,0) . 



a[2(d-l)] 
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Similar to above, we define 71 := o;[ 2 ((i— 1 )] = \p{j, «i, . . . , 0 )[ 2 (d— 1 )] 

and 7/c-i-i := tpij, oi , . . . , CXrn 1 71, . . . ,7fc-i-i + 1, 0)[2(d - 1)] and obtain 

a[ 2 d] >(2d) ■ ■ ■ ,lN-m + 1 ) 

>{2d) tpU, «1, • ■ • , Om, a[ 2 {d - 1)], , a[ 2 {d - 1)] -h 1) 

>{ 2 d) ■ ■ ■,aig, 0 ,a[ 2 {d- 1)] -h 1) . 

By assumption <(2(d-i)) c«io by Lemma 3 this implies + 1 <(2d) 
aig. We set a := ai, . . . then we obtain 

'ipU,a,aig, 0 ,al 2 (d- 1)] -h 1) >( 2 d) i’{j,a,Pig + l, 0 ,a[ 2 {d- 1)] -h 1) 

>(2d) ■p{j,a,Pig + l,0,a[2(d- 1)] -h l)[2d] 

>( 2 d) ■p{j,a,Pig,p{j,a,Pig + l,0,a[2(d- 1)]),0) 
>{ 2 d) i’{j,a,P^g,a[ 2 {d- 1)] + 1),0) 

= ■ 0 (j,/ 3 i,---,Ao:a[ 2 (d-l)] + l),O) . 

As in the first part of the proof, we obtain o;[2cf| >(2d) 'P{j,^,O'ig, 0 ,a[ 2 {d — 
1)] + 1) >(2d) 

>( 2 d) ■ - .Ao.a[2(d- 1)],- ■ . ,a[2(d- 1)] + 1,0) . 



By assumption we have Pi <(2{d-i)) a for all / = 1 , . . . , n. It remains to prove 
that this implies Pi <(2d) 7- For this it is sufficient to consider the case where 
Pi G The proof proceeds by case-distinction on the construction of Pi. 

The proof is similar to the respective part in the proof of Lemma 5 , and hence 
omitted. □ 



Lemma 7 . Let s,t G T be given. Assume s = fj{si,...,Sm), p is a ground 
substitution, T{t) < d. Assume further Sk +lpo u and t{u) < d implies 
T^{skp) >{2d) Tr{up) for all u gT. Then s +lpo t implies 7r(sp) >(2d) '^{tp)- 

Proof. The proof is by induction on d. 

Case d = 0 : Hence r(t) = 0 ; therefore tGV or t = fiGS. Consider t GV. 
Then t is a subterm of s. Hence there exists k {1 < k < m) s.t. t is subterm 
of Sfc. Hence Sk +lpo C and by assumption this implies Tr(sfcp) >(2d) T^itp), and 
therefore 7r(sp) >(2d) 7r(tp) by the Subterm Property. 

Now assume t = fi G S . As s +lpo t by assumption either i < j or Sk +lpo t 
holds. In the latter case, the assumptions render Tr{skp) >(2+ '^{tp)', hence 
T^{sp) >(2d) T^{tp). Otherwise, 7r(sp) = f/'O', ’’"(sip), . . . , 7r(smp) + 1 , 0 ), while 
Trftp) = Tr(t) = ip{i, 0 ). As Tr{skp) >{x) 0 holds for arbitrary x < to, we con- 
clude Tr{sp) >(2d) 7r(tp). 

Case d > 0 : Assume r(t) > 0 . (Otherwise, the proof follows the pattern of the 
case d = 0 .) Let t = fpti, . . . ,tn), and clearly T{ti) < {d— 1 ) for alH = 1 , . . . ,n. 
We start with the following observation: Assume there exists zq s.t. s +lpo ti 
holds for alH = Zq + 1 , . . . , n. Then by (ih) we have Tr{sp) >(2{d-i)) T^itip)- 
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We proceed by case-distinction on s )^lpo t. Assume firstly there exists k 
(1 < fc < m) s.t. Sfc ^Lpo t- Utilizing the assumptions of the lemma, we con- 
clude 7r(sp) >( 2 d) Now assume i < j and s )^lpo U for all I = 1,. . . ,n. 

Clearly sp,tp G T{S). By the observation 7r(sp) >( 2 (d_i)) Tr{tip) holds. Hence 
Lemma 6.1 becomes applicable and therefore Tr{sp) >{ 2 d) holds true. Fi- 
nally assume i = j; Si = )^lpo s )^lpo U, for all 

I = io -l- 1, . . . , TO. Utilizing the observation, we see that Lemma 6.2 becomes 
applicable and therefore 7r(sp) >(2d) 7r(tp). □ 

Lemma 8. Let t G T(U) he given, assume T(t) < d. Then 'tp{K + 1,0) >( 2 d) 

7r(t). 

Proof. The proof is by induction on rit) and follows the pattern of the proof of 
Lemma 5. □ 

Theorem 3. Let l,r gT be given. Assume p is a ground substitution, rft) < d. 
Then I )^lpo r implies Tr{lp) >( 2 d) T^{rp). 

Proof. We proceed by induction on t(s). 

Case r(s) = 0: Then s can either be a constant or a variable. As s )^lpo t 
holds, we can exclude the latter case. Hence assume s = fj. As fj )^lpo i, t is 
closed. Hence the assumptions of the theorem imply the assumptions of Lemma 5 
and we conclude 7r(sp) = 7r(s) >{2d) 7r(t) = 7r(tp). 

Case r(s) > 0: Then s can be written as /j(si, ■ . • , Sm)- By (ih) Sk )^lpo u 
and r(u) < d imply Tr{skp) >{ 2 d) '’^{Ip)- Therefore the present assumptions 
contain the assumptions of Lemma 7 and hence Tr{sp) >{ 2 d) '^{tp) follows. □ 

Theorem 4. (The Lnterpretation Theorem.) Let R denote a finite rewrite sys- 
tem whose induced rewrite relation is contained in )^lpo- Then there exists k < uj, 
such that for all l,r G T, and any ground substitution p I -Gr r implies 
T^(Jp) >(k) 7T{rp). 

Proof Set d equal to max{r(r): 31 (l,r) G R}. Then the theorem follows as a 
corollary to Theorem 3 if /c is set to 2d. □ 

6 Collapsing Theorem 

We define a variant of the slow-growing hierarchy, cf. Definition 4, suitable for 
our purposes. 

Definition 8. Recursive definition of the function Ga : to ^ to for a G T. 

Go(x) := 0 

Ga(x) := max{Gp(x) : (3 G (a)"^} -f 1 . 

Lemma 9. Let a G T , a > 0 be given. Assume x < to is arbitrary. 

1. Ga is increasing. (Even strictly if a > uj.) 

2. If a >(x) (3, then Ga{x) > Gp{x). 
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Proof. Both assertions follow by induction over < on a. □ 

We need to know that this variant of the slow-growing hierarchy is indeed 
slow-growing. We show this by verifying that the hierarchies {Ga- a G T} and 
{Ga- a € T} coincide with respect to growth-rate. It is a triviality to verify 
that there exists (3 G T such that Gp majorizes Ga- (Simply set (3 = a.) The 
other direction is less trivial. One first proves that for any a G T there exists 
7 < such that Gq(x) < Fj{x) for almost all x. Secondly one employs the 

Hierarchy Comparison Theorem once more to establish the existence oi (3 G T 
such that Ga{x) < Gj 3 {x) holds for almost all x. 

Theorem 5. 



U E{G^) = y E{G^) = y E{E^) 

a^T a^T 7 <a;-^+^ 



7 Complexity Bounds 

The complexity of a terminating finite rewrite system R is measured by the 
derivation length function. 

Definition 9. The derivation length function Dl/j: oj —>• uj. Letm < oj be given. 
DLij(m) := max{n: 37, . . . , G T ((ti -Gr >r t„) A (r(7) < m))}. 

Let i? be a rewrite system over E such that -Gr is contained in a lexicographic 
path ordering. Now assume that there exist s = toi , tn G T with r(s) < m 
such that 

S ~^R ti -Gr ■ ■ ■ -Gr tn 

holds. By our choice of R this implies s )^lpo G I^lpo • • • I^lpo in- By assumption 
on E there exists c G E, with ar(c) = 0. We define a ground substitution p\ 
p{x) = c, for all a; G V. Let k < uj he defined as in Theorem 4. Recall that K 
denotes the cardinality of E. We conclude from the Interpretation Theorem and 
Lemma 8, Tr{sp) >(fc) Tr{tip) >(^) ••• >(^) 7r(t„p) and ip{K + 1,0) >(2m)_7r(sp). 
Setting h := max{2m, /c} and utilizing Lemma 3, we obtain ip{K + 1,0) >(h) 
Tr{sp) >(h) • • • >(h) T^{tnP)- An application of Lemma 9.2 yields 

(^) ^ GT^(^sp)(h') > • • • > GT^(t.^p){fi) 

Employing Theorem 5 we conclude the existence of 7 < such that 

F.y(max{2TO, /c}) > Q^(max{2m, /c}) > Dl/j(to) 

The class of multiply-recursive functions is captured by 
see [13]). Thus we have established a multiply-recursive upper bound for the 
derivation length of R if -Gr is contained in a lexicographic path ordering. Fur- 
thermore, this bound is essentially optimal, cf. [17]. 
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8 Conclusion 

The presented proof method is generally applicable. Let R denote a rewrite 
system whose termination can be shown via )^mpo- To yield a primitive recursive 
upper bound for the complexity of R the above proof can be employed. Firstly 
the definition of the interpretation function tt has to be changed as follows. If 
s = fj{si , . . . , Sm), then we set 

7t(s) :=f/'(j,7r(si)#---#7r(s,„)#l) . 

Then the presented proof needs only partial changes. It suffices to reformulate 
(and reprove) Lemma 5, 6, 7, and 8, respectively. 

Future work will be concerned with the Knuth-Bendix ordering. Due to the 
more complicated nature of this ordering the statement of the interpretation is 
not so simple. Still we believe that only mild alterations of the given proof are 
necessary. 
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Abstract. We present a tool for automatically proving termination of 
first-order rewrite systems. The tool is based on the dependency pair 
method of Arts and Giesl. It incorporates several new ideas that make 
the method more efficient. The tool produces high-quality output and 
has a convenient web interface. 



1 Introduction 

Developing termination techniques for rewrite systems that can be automated 
has become an important research topic in the past few years. The dependency 
pair method of Arts and Giesl [3] is one of the most popular methods capable 
of automatically proving termination of first-order term rewrite systems (TRSs) 
that cannot be handled by traditional simplification orders. The dependency pair 
method has been implemented by Arts [1] and is part of the termination toolbox 
of CzME [5]. Tsukuba Termination Tool (TqT in the sequel) is a new tool in 
which the dependency pair method takes center-stage. In the following sections 
we explain the features of TqT, give some implementation details, report on some 
of the experiments that we performed, and provide a brief comparison with the 
tools described in [1,5]. We conclude with some ideas for future extensions of the 
tool. Familiarity with the dependency pair method will be helpful in the sequel. 



2 Interface 

We describe the features of TqT by means of its web interface, displayed in Fig. 1. 



TRS. The user inputs a TRS by typing the rules into the upper left text area 
or by uploading a file via the browse button. The input syntax is obtained by 
clicking the TRS link. 

* http: //www. score . is . tsukuba. ac . jp/ttt/ 
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TRS 

i <x/p“ > { (x*v> - <jj*u> >7 ( 3 )'*v) 

-> s(0) 

^<s<s(x>),s<0),^> -> s(h{s(x),z,z)) 

-> h(s{x),s(y),z) 
div(x,j>) -> h(x,y,y) 

#9ypt(0/j>) -> nil<> 

• 9 Jjpt(s(x)/j»> -> 

div(y.s{x)>.ectypt(i<s<x)/y,s(0)/div(y,s{x»» 



COMMENT foptionall 

Bxansle 17 <\enph {Egyptian Fractions}} in \cite{s95a}. 



BIBTEX (optionan 



SiApcoceedixigs {S95&, 

author - “J. steinbach", 

title - "Automatic Termination Proofs vith 

rransformation Orderings"^ 
booktitle = "Proc.V 5th BTA", 
series = "UTCS", 

volume = 914^ 

pages = " 11 — 25", 

uear » 1995 



I 



base order 


deoendencv pairs 


araument filterincis 


1” divide and conquer 


LPO 


yes 


some 


1” verbose 


LPO with quasi-precedence 


O no 


some more 




r KBO 




r all 


timeout 1 10 seconds zi 



deoendencv oraoh 


cvcie analysis 






<® yes with approximation | edQ zI 


<~ treat aii cycles separately 






C no 


C treat all SCCs separately 








<* new algorithm 


RESET 1 


SUBMIT 1 



IQ a .a gpi )Qcument: Done (0.237 secs) 






Fig. 1. A screen shot of the web interface of TpT. 



Comment and Bibtex. Anything typed into the upper right text area will 
appear as a footnote in the generated lATpi^X code. This is useful to identify TRSs. 
1ATJ;;]X commands may be included. A typical example is a line like 

Example 33 (\emph{Battle of Hydra sind Hercules}) in \cite{D33}. 

In order for this to work correctly, a bibtex entry for D33 should be supplied. This 
can be done by typing the entry into the appropriate text area or by uploading 
an appropriate bibtex file via the browse button. 

Base Order. The current version of T^T supports the following three base 
orders: LPO (lexicographic path order) with strict precedence, LPO with quasi- 
precedence, and KBO (Knuth-Bendix order) with strict precedence. The imple- 
mentation of KBO is based on the polynomial-time algorithm of Korovin and 
Voronkov [11]. In Section 4 we comment on the implementation of LPO prece- 
dence constraint solving. 

Dependency Pairs. Setting the dependency pair option activates the depen- 
dency pair technique of Arts and Giesl [2], which greatly enhances the termi- 
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nation proving power of the tool. The current version of T^jT supports the ba- 
sic features of the dependency pair technique (argument filtering, dependency 
graph, cycle analysis) described below. Advanced features like narrowing, rewrit- 
ing, and instantiation are not yet available. Also innermost termination analysis 
is not yet implemented. 

Argument Filtering. A single function symbol / of arity n gives rise to 2" -|- n 
different argument filterings: 

— f{xi, ...,Xn)^ /(a^ii, • • for all 1 < zi < • • • < < n, 

— f{x\, . . . ,Xn) — >■ Xi for all 1 ^ z ^ zz. 

A moment’s thought reveals that even for relatively small signatures, the number 
of possible argument filterings is huge. TqT supports two simple heuristics to 
reduce this number. 

— The some option considers for a function symbol / of arity n only the ‘full’ 
argument filtering f{x \, . . . , Xn) f{xi, ■ ■ ■ , Xn) and the n ‘collapsing’ ar- 
gument filterings /(xi, . . . , x„) — >■ Xj (1 ^ z ^ rz). 

— The some more option considers the argument filtering /(xi, . . . ,x„) — >■ / 
(when rz > 0) in addition to the ones considered by the some option. 

Dependency Graph. The dependency graph determines the ordering con- 
straints that have to be solved in order to guarantee termination. Since the 
dependency graph is in general not computable, a decidable approximation has 
to be adopted. The current version of TqT supplies two such approximations: 

— EDG is the original estimation of Arts and Giesl [2, latter part of Section 2.4]. 

— EDG* is an improved version of EDG described in [12, latter half of Section 6]. 

We refer to [9] for some statistics related to these two approximations. 

Cycle Analysis. Once an approximation of the dependency graph has been 
computed, some kind of cycle analysis is required to generate the actual ordering 
constraints. TqT offers three different methods: 

1. The method described in [7] is to treat cycles in the approximated depen- 
dency graph separately. For every cycle C, the dependency pairs in C and 
the rewrite rules of the given TRS must be weakly decreasing and at least 
one dependency pair in C must be strictly decreasing (with respect to some 
argument filtering and base order). 

2. Another method, implemented in [1,5], is to treat all strongly connected 
components (SCCs) separately. For every SCC S, the dependency pairs in 
S must be strictly decreasing and the rewrite rules of the given TRS must 
be weakly decreasing. Treating SCCs rather than cycles separately improves 
the efficiency at the expense of reduced termination proving power. 

3. The third method available in TqT combines the termination proving power 
of the cycle method with the efficiency of the SCC method. It is described 
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Divide and Conquer. The default option to find a suitable argument filtering 
that enables a group of ordering constraints to be solved by the selected base 
order is enumeration, which can be very inefficient, especially for larger TRSs 
where the number of suitable argument filterings is small. Setting the divide 
and conquer option computes all suitable argument filterings for each constraint 
separately and subsequently merges them to obtain the solutions of the full set 
of constraints. This can (greatly) reduce the execution time at the expense of an 
increased memory consumption. The divide and conquer option is described in 
detail in [9] . At the moment of writing it is only available in combination with 
LPO. 



Verbose. Setting the verbose option generates more proof details. In combina- 
tion with the divide and conquer option described above, the total number of 
argument filterings that enable the successive ordering constraints to be solved 
are displayed during the termination proving process. 



Timeout. Every combination of options results in a finite search space for find- 
ing termination proofs. However, since it can take days to fully explore the search 
space, (the web version of) TqT puts a strong upper bound on the permitted 
execution time. 

3 Output 

If TqT succeeds in proving termination, it outputs a proof script which explains 
in considerable detail how termination was proved. This script is available in 
both HTML and HT^X format. In the latter, the approximated dependency 
graph is visualized using the dot tool of the Graphviz toolkit [8]. Fig. 2 shows 
the generated output (with slightly readjusted vertical space to fit a single page) 
on Example 17 {Egyptian Fractions) in Steinbach [15] (in [15] the binary function 
symbol i is denoted by the infix operator M). Here TqT is used with the EDG 
approximation of the dependency graph, the SCC approach to cycle analysis, 
some more argument filterings, and without the verbose option. As can be seen 
from Fig. 2, we prefer to output LPO precedences compactly like div h s as 
opposed to div h; h s (or worse: div h; h s; div s). This is achieved by 
an obvious topological sorting algorithm. 



4 Implementation 

TqT is written in Objective Caml [13], which is a strongly typed functional 
programming language extended with object-oriented features. We make use 
of the latter for the enumeration of argument filterings, but most of the code is 
written in a purely functional style. For instance, to compute SCCs and cycles in 
the approximated dependency graph the depth-first search algorithm described 
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Termination Proof Script® 

We prove that the TRS TZ consisting of the 7 rewrite rules*" 

div(®, 2 /) Vi{x,y,y) 

egypt(0/y) nil 

egypt(s(®) / y) div(i/,s(a;))-egypt(i(s(a:)/j/,s( 0 )/div( 2 /,s(a:)))) 

h(s( 0 ),i/, 2 ) s(0) 

h(s(s(x)),s( 0 ), 2 ) s(h(s(a;), 2 :,«)) 

h(s(s(a;)),s(s(j/)), 2 ) h{s{x),s{y), z) 

\{x/y,u/v) {{xxv)-{yxu)) /{yxv) 

is terminating. There are 6 dependency pairs: 

1: DIV(a;,y) H{x,y,y) 

2: EGYPT(s(®)/y) ^ DIV(y,s(®)) 

3: EGYPT(s(®)/y) -> EGYPT(i(s(®) / y, s(0) / div(j/, s(®)))) 

4: EGYPT(s(a;)/y) l(s(a:) / j/, s(0) / div(y, s(x))) 

5: H(s(s(a;)), s(0), a) — >■ H{s{x),z,z) 

6: H{s{s{x)),s{s{y)),z) H{s{x),s{y), z) 




contains 2 SCCs: {5,6}, {3}. 



— Consider the SCC {5,6}. By taking the AF • i— >■ [] and LPO with precedence 

div ^ h ^ s; egypt ;i^/^ nil, the rules in TZ are weakly 

decreasing and the rules in {5, 6} are strictly decreasing. 

— Consider the SCC {3}. By taking the AF x,i i— >■ [] and LPO with precedence 

egypt ^ •; egypt ^div^h^s;^!^ x; egypt ^ nil; i > ; i the rules in TZ 

are weakly decreasing and the rules in {3} are strictly decreasing. 

References 

1. J. Steinbach. Automatic termination proofs with transformation orderings. In 
Proc. 6th RTA, volume 914 of LNCS, pages 11-25, 1995. 

“ http : //www. score . is . tsukuba. ac . jp/ttt 

*" Example 17 {Egyptian Fractions) in [1]. 



Fig. 2. Output. 
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in [10] is used. Below we comment on the implementation of LPO precedence 
constraint solving. 

The definition of LPO with strict precedence can be rendered as follows: 
s >ipo t = s t V s >?p„ t 

^ ^Ipo ^ ^ ^Ipo ^ 

/*(si , . . . , Sji ) ^ipo ^ — tv Si ^ Ipo t) 

/(Si, . . . , S„) >jpo /(tl5 . ■ • , tn) = 

/(^Ij ■ • ■ 5 ^n) ^Ipo tj) A (si, . . . , Sti) ^]pQ (tl, . . . , tji) 
f{s\, ■ ■ ■ , Sji) >lpo 5(fl) ■ • ■ ) fm) = (Vt /(si, • • • ) Sn) >lpo ti) A (/>(/) 

with 0 0 = -L and (si, . . . , s„) = si ti V (si = ti A 

(s 2 , . . . , Sn) {t 2 , . ■ . , tn)) for n > 0. Finding a precedence > such that s >ipo 
t for concrete terms s and t is tantamount to solving the constraint that is 
obtained by unfolding the definition of s >ipo t. The constraint involves the 
boolean connectives A and V, T, and atomic statements of the forms / > g for 
function symbols /, g and s = t for terms s, t. These symbols are interpreted as 
sets of precedences, as follows: 

mins(|C]U|i:>l) |T] = 0 

minsdCloln]) lf>g] = {{f,g)} 

{ { 0 } if s and t are the same term 
0 otherwise 

Here Oi ® O 2 denotes the set of all strict orders (>i U > 2 )’'’ with >1 G 0\ and 
>2 G C> 2 - The purpose of the operator mins, which removes non-minimal prece- 
dences from its argument, is to avoid the computation of redundant precedences. 
For instance, one readily verifies that |f(c) >ipo c] = { 0 } whereas without mins 
we would get |f(c) >ipo c] = {0,{(f,c)}}. 

Now, by encoding the above definitions one almost immediately obtains an 
implementation of LPO precedence constraint solving. For instance, T^jT con- 
tains (a slightly optimized version of) the following OCaml code fragment: 

let bottom = empty 

let disj c d = minimal (union c d) 

let conj c d = minimal (combine c d) 

let rec lex rel ss ts = 
match ss, ts with 

I s :: ss’, t :: ts’ when s = t -> lex rel ss’ ts’ 

I s : : ss ’ , t : : ts ’ -> rel s t 

let rec Ipo s t = disj (Ipol s t) (lpo2 s t) 

Euid Ipol s t = 



ICVDj = 
ICAD] = 

|s = t] = 
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match s with 
I V _ -> bottom 

I F (f, ss) -> exists (fun s’ -> disj (equal s’ t) (Ipo s’ t)) ss 
and lpo2 s t = 
match s, t with 

I F (f, ss) , F (g, ts) when f = g 

-> conj ((for_all (fun t’ -> Ipo s t’)) ts) (lex Ipo ss ts) 

I F (f, ss) , F (g, ts) 

-> conj ((for_all (fun t’ -> Ipo s t’)) ts) (prec f g) 

I _ -> bottom 

The point we want to emphasize is that other precedence-based syntactic order- 
ings follow the same scenario and can thus be added very easily to TqT. 



5 Experimental Results 

We tested the various options of TqT on numerous examples. Here we consider 
14 examples from the literature. Our findings are summarized in Tables 1 and 2. 
All experiments were performed on a notebook PC with an 800 MHz Pentium 
HI CPU and 128 MB memory. The numbers in the two tables denote execution 
time in seconds. Italics indicate that TqT could not prove termination while 
fully exploring the search space implied by the options within the given time. 
Question marks denote a timeout of one hour . For the experiments in Table 1 
we used LPO with strict precedence as base order, EDG as dependency graph 
approximation, and enumeration of argument filterings. 

The three question marks for [6, Example 11] are explained by the fact that 
the dependency graph admits 4095 cycles (but only 1 strongly connected com- 



Table 1. Argument filtering heuristics in combination with cycle analysis methods. 



argument filterings 
cycle analysis 


cycle 


some 
see new 


some more 
eyele see new 


cycle 


all 

sec 


new 


[3, Example 3.3] 


0.02 


0.08 


0.02 


0.14 


0.81 


0.13 


5.72 


5.68 


5.78 


[3, Example 3.4] 


0.01 


0.01 


0.01 


0.02 


0.02 


0.02 


0.09 


0.06 


0.08 


[3, Example 3.9] 


0.28 


0.23 


0.13 


1.94 


2.32 


0.86 


9.79 


4.38 


4.48 


[3, Example 3.11] 


14.29 


9.35 


5.79 


152.45 209.10 57.51 


7 


7 


7 


[3, Example 3.15] 


0.00 


0.00 


0.00 


0.00 


0.00 


0.00 


0.01 


0.01 


0.01 


[3, Example 3.38] 


0.01 


0.02 


0.01 


0.05 


0.05 


0.05 


4.38 


0.87 


0.91 


[3, Example 3.44] 


0.00 


0.01 


0.01 


0.01 


0.00 


0.01 


0.00 


0.00 


0.01 


[4, Example 6] 


0.06 


0.05 


0.05 


0.89 


0.60 


0.26 


0.82 


2.97 


0.24 


[6, Example 11] 


7 


0.08 


0.08 


7 


0.08 


0.08 


7 


16.46 


15.21 


[6, Example 33] 


0.05 


0.05 


0.05 


0.13 


0.13 


0.12 


0.48 


0.44 


0.48 


[15, Example 17] 


1.77 


1.75 


1.63 


4.41 


4.39 


4.19 


1904.79 805.92 1045.75 


[16, Example 4.27] 


0.00 


0.01 


0.01 


0.01 


0.01 


0.01 


0.03 


0.04 


0.03 


[16, Example 4.60] 


0.17 


0.17 


0.16 


0.23 


0.13 


0.14 


41.19 


21.50 


21.42 


[17, Example 58] 


0.00 


0.00 


0.00 


0.00 


0.00 


0.00 


0.01 


0.01 


0.01 
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Table 2. Divide and conquer, KBO, and other tools. 





(1) 


(2) 


(3) 


(4) 


(5) 


LPO 


KBO ARTS 


CiME 


[3, Example 3.3] 


0.10 


3.30 492.76 


269.03 


? 


0.00 


0.00 


58.92 


? 


[3, Example 3.4] 


0.01 


0.02 


0.08 


3.13 


25.51 


0.00 


0.00 


2.76 


0.19 


[3, Example 3.9] 


0.25 


3.43 340.99 1183.73 


? 


0.00 


0.00 


391.18 


? 


[3, Example 3.11] 


0.47 


4.42 430.72 


2.25 


33.42 


0.00 


0.01 


? 


? 


[3, Example 3.15] 


0.01 


0.00 


0.01 


0.24 


0.24 


0.00 


0.03 


? 


0.08 


[3, Example 3.38] 


0.01 


0.05 


4.50 


0.02 


? 


0.00 


0.00 


613.32 


0.19 


[3, Example 3.44] 


0.00 


0.04 


0.04 


6.55 


10.16 


0.00 


0.87 


0.60 


0.02 


[4, Example 6] 


0.02 


3.08 


80.65 


0.09 


1783.14 


0.00 


0.00 


? 


440.39 


[6, Example 11] 


2.08 


92.92 


? 


0.39 


5.52 


0.00 


0.00 


4.43 


61.36 


[6, Example 33] 


0.02 


0.12 


0.89 


0.18 


593.26 


0.00 


0.00 


? 


0.78 


[15, Example 17] 


0.66 


57.85 


? 


67.36 


? 


0.00 


0.00 


? 


15.80 


[16, Example 4.27] 


0.01 


0.05 


0.29 


202.65 


396.36 


0.00 


5.17 


? 


1485.27 


[16, Example 4.60] 


0.04 


0.36 


23.14 


0.28 


387.01 


0.00 


0.00 


6.44 


1.74 


[17, Example 58] 


0.00 


0.00 


0.02 


0.43 


0.45 


0.00 


0.06 


1.35 


0.06 



ponent, consisting of all 12 dependency pairs). The largest example in the collec- 
tion, Example 3.11 (Quicksort) in [3], clearly reveals the benefits of the argument 
filtering heuristics as well as the new approach to cycle analysis. 

From columns (1), (2), and (3) in Table 2 we infer that the divide and conquer 
option has an even bigger impact on this example, especially if one keeps in 
mind that all suitable argument filterings are computed. Here we used the new 
algorithm for cycle analysis, LPO with strict precedence as base order, EDG as 
dependency graph approximation, and some (1), some more (2), and all (3) 
argument filterings. The question marks in column (3) are largely explained by 
the large memory demands of the divide and conquer option. We will address 
this issue in the near future. Note that [6, Example 11] is the only example in 
the collection which can be directly handled by LPO. 

In columns (4) and (5) we used KBO as base order and some respectively 
some more argument filterings (as well as the new algorithm for cycle analysis 
and EDG as dependency graph approximation). According to column (5) TqT 
requires 593.26 seconds to prove the termination of Example 33 (Battle of Hy- 
dra and Hercules) in [6]. This example nicely illustrates that the termination 
proving power of KBO, which is considered not to be very large, is increased sig- 
nificantly in combination with dependency pairs. The ARTS and CzME columns 
are described in the next section. 



6 Comparison 

TqT is not the first tool that implements the dependency pair method. The 
implementation of Arts [1] offers more refinements (like narrowing and termi- 
nation via innermost termination) of the dependency pair method and, via its 
graphical user interface, allows the user to choose a particular argument filter- 
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ing (separately for each group of ordering constraints). In contrast to the latter, 
TrpT offers improved algorithms for the automatic search for suitable argument 
filterings. For the ARTS column in Table 2 we used the only available automatic 
strategy in the distribution, which is (partly) described in [1, Section 3], and not 
guaranteed to terminate. Most of the successful termination proofs it generates 
use the refinements mentioned above. 

The implementation of the dependency pair method in CzME [5] uses weakly 
monotone polynomial interpretations as base order (which removes the need for 
argument filterings) and the SCC method for cycle analysis in the EDG approx- 
imated dependency graph. The search for a suitable polynomial interpretation 
can be restricted by specifying a certain class of simple polynomials as well as 
indicating a restricted range for the coefficients. Needless to say, the use of poly- 
nomial interpretations considerably restricts the class of terminating TRSs that 
can be proved terminating (automatically or otherwise). On the other hand, 
CzME admits AC operators and supports powerful modularity criteria based 
on the dependency pair method (described in [18,19]), two extensions which 
are not (yet) available in T^jT. The data in the CzME column was obtained by 
using the default options to restrict the search for polynomial interpretations: 
simple-mixed polynomials with coefficients in the range 0-6. 

7 Future Extensions 

In the near future we plan to add an option that makes T^T search for a ter- 
mination proof using everything in its arsenal. The challenge here is to develop 
a strategy that finds proofs quickly without compromising the ability to find 
proofs at all. 

Other future extensions include adding more base orders, incorporating the 
refinements of the dependency pair method mentioned in the first paragraph of 
Section 6, and implementing the powerful modularity criteria based on the de- 
pendency pair method described in [14] and [19]. We also plan to add techniques 
for AC-termination. In Section 5 we already mentioned the reduction of the large 
memory requirements of the divide and conquer option as an important topic 
for future research. 

Another interesting idea is to generate output that allows for an indepen- 
dent check of the termination proof. We plan to develop some kind of formal 
language in which all kinds of termination proofs can be conveniently expressed. 
This development may lead to cooperating rather than competing termination 
provers. 
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Abstract. In this paper, we show how the problem of verifying liveness 
properties is related to termination of term rewrite systems (TRSs). We 
formalize liveness in the framework of rewriting and present a sound and 
complete transformation to transform particular liveness problems into 
TRSs. Then the transformed TRS terminates if and only if the original 
liveness property holds. This shows that liveness and termination are 
essentially equivalent. To apply our approach in practice, we introduce a 
simpler sound transformation which only satisfies the ‘only if’-part. By 
refining existing techniques for proving termination of TRSs we show how 
liveness properties can be verified automatically. As examples, we prove 
a liveness property of a waiting line protocol for a network of processes 
and a liveness property of a protocol on a ring of processes. 



1 Introduction 

Usually, liveness is roughly defined as: something will eventually happen" [1] and 
it is often remarked that ^^termination is a particular case of liveness" . In this 
paper we present liveness in the general but precise setting of abstract reduction 
and TRSs and we study the relationship between liveness and termination. While 
classically, TRSs are applied to model evaluation in programming languages, we 
use TRSs to study liveness questions which are of high importance in practice 
(e.g., in protocol verification for distributed processes). In particular, we show 
how to verify liveness properties by existing termination techniques for TRSs. 

In Sect. 2 we define a suitable notion of liveness to express eventuality prop- 
erties using abstract reduction. Sect. 3 specializes this notion to the framework 
of term rewriting. In Sect. 4 we investigate the connection between a particular 
kind of liveness and termination, and present a sound and complete transfor- 
mation which allows us to express liveness problems as termination problems 
of ordinary TRSs. Now techniques for proving termination of TRSs can also 
be used to infer liveness properties. To apply this approach in practice, based 
on our preceding results we present a sound (but incomplete) technique to per- 
form termination proofs for liveness properties in Sect. 5, which is significantly 
easier to mechanize. In contrast to methods like model checking, our technique 
does not require finite state space. Our approach differs from other applications 
of term rewriting techniques to parameterized systems or infinite state spaces. 
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where the emphasis is on verification of other properties like reachability [4] . We 
demonstrate our approach on two case studies of network protocols. 

2 Liveness in Abstract Reduction 

In this section we give a formal definition of liveness using the framework of 
abstract reduction. We assume a set S of states and a notion of computation 
that can be expressed by a binary relation — >• C S' x S'. So “t — >■ u” means that a 
computation step from t to m is possible. A computation sequence or reduction 
is defined to be a finite sequence ti, ^ 2 , • ■ • , or an infinite sequence t\,t 2 ,t^, ■ . ■ 
with ti — >■ ti+i. We write — >■* for the refiexive transitive closure of — >■, i.e., — >■* 
represents zero or more computation steps. 

To define liveness we assume a set G C S of ‘good’ states and a set / C S of ini- 
tial states. A reduction is maximal if it is either infinite or if its last element is in 
the set of normal forms NF = {f € S' | -i3w : t — >■ w}. The liveness property Live(J, 
~^,G) holds if every maximal reduction starting in / contains an element of G. 
Thus, our notion of liveness describes eventuality properties (i.e., it does not 
capture properties like starvation freedom which are related to fairness). 

Definition 1 (Liveness). Let S be a set of states, — >■ C SxS, andG,I C S. Let 
“ti,t 2 ,t 3 , . . denote an infinite sequence of states. Then Live(J, — >■, G) holds iff 

1. Vti, ^ 2 , ts, . . . : (ti G / A Vi : ti — >■ ti+i) 3i : tj G G, and 

2. Vti, t2, • . • , tji (ti G / A tn G NF A Vi : t^ — y ti_i_i) 3i : ti G G. 

For example, termination (or strong normalization SN (/,—>■)) is a special 
liveness property describing the non-existence of infinite reductions, i.e., 

SN(/, — >■) = -i(3ti, t2, ts, . . . : ti G / A Vi : ti — >■ ti+i). 

Theorem 2. The property SN(/, — >■) holds if and only i/ Live(/, — >•, NF) holds. 

Proof. For the ‘if ’-part, if SN (/,—>■) does not hold, then there is an infinite re- 
duction ti — >■ t 2 — >■ • • • with ti G I. Due to NF’s definition, this infinite reduction 
does not contain elements of NF, contradicting Property 1 in Def. 1. 

Conversely, if SN(/, — >■) holds, then Property 1 in the definition of Live(/, — >■, 
NF) holds trivially. Property 2 also holds, since G = NF. □ 

Thm. 2 states that termination is a special case of liveness. The next theorem 
proves a kind of converse. For that purpose, we restrict the computation relation 
— >■ such that it may only proceed if the current state is not in G. 

Definition 3 (— >-g)- Let S, — >■, G be as in Def 1. Then ~^gQ S x S is the 
relation where t -^g u holds if and only ift^u and t ^ G. 

Now we show that Live(/, — >■, G) is equivalent to SN(/,— >-g). The ‘only if’- 
part holds without any further conditions. However, for the ‘if’-part we have 
to demand that G contains all normal forms NF(/) reachable from /, where 
nf(/) = {mg NF I G / : t — >■* u}. Otherwise, if there is a terminating sequence 
ti with all ti ^ G, we might have SN(/, -^g) but not Live(/, — >•, G). 
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Theorem 4. Let NF(/) C G. Then Live(/, — >■, G) holds iff SN{I,^q) holds. 

Proof. For the ‘if ’-part assume SN(/, — >-( 3 ). Property 2 of Def. 1 holds since 
NF(/) C G. If Property 1 does not hold then there is an infinite reduction 
without elements of G starting in I, contradicting SN(/, — >-g). 

Conversely assume that Live(/, — >•, G) holds and that SN(/, — does not 
hold. Then there is an infinite sequence - ■ ■ with ti € I A\/i : U -Ac U+i. 
Hence, ti ^ G and ti — >■ ti+i for all i, contradicting Property 1 in Def. 1. □ 

Thm. 4 allows us to verify actual liveness properties: if NF(/) C G, then one 
can instead verify termination of -Aq. If NF(/) ^ G, then SN(/, — >-g) still implies 
the liveness property for all infinite computations. In Sect. 4 and 5 we show how 
techniques to prove termination of TRSs can be used for termination of -Aq. 

3 Liveness in Term Rewriting 

Now we focus on liveness in rewriting, i.e., we study the property Live(/, -An, G) 
where -An is the rewrite relation corresponding to a TRS R. For an introduction 
to term rewriting, the reader is referred to [3], for example. 

Let U he a signature containing a constant and let V be a set of variables. We 
write T{S, V) for the set of terms over S and V and T(27) is the set of ground 
terms. For a term t, V(t) and S{t) denote the variables and function symbols 
occurring in t. Now T{S,V) represents computation states and G C T(27, V). 

By Thm. 4, Live(/, — >•, G) is equivalent to SN(/, — >-g), if NF(/) C G. To verify 
liveness, we want to prove SN(/, — >-g) by approaches for termination proofs of 
ordinary TRSs. However, depending on the form of G, different techniques are 
required. In the remainder we restrict ourselves to sets G of the following form: 

G = {t \ t does not contain an instance of p} for some term p. 

In other words, G contains all terms which cannot be written as C[pa] for any 
context G and substitution cr. As before, t -Aq u holds iff t -An u and t ^ G. So 
a term t may be reduced whenever it contains an instance of the term p. 

A typical example of a liveness property is that eventually all processes re- 
questing a resource are granted access to the resource (see Sect. 5.3). If a process 
waiting for the resource is represented by the unary function symbol old and if 
terms are used to denote the state of the whole network, then we would define 
G = {t \ t does not contain an instance of old(x)}. Now Live(/, — G) means 
that eventually one reaches a term without the symbol old. 

However, for arbitrary terms and TRSs, the notion -Ag is not very useful: if 
there is a symbol / of arity > 1 or if p contains a variable x (i.e., if p can be 
written as G[x] for some context G), then termination of -Ac implies termination 
of the full rewrite relation -An- The reason is that any infinite reduction ti -An 
t 2 -An • ■ ■ gives rise to an infinite reduction f{ti,p , . . .) -An f{t 2 ,P, ■ ■ •) -An ■ ■ ■ or 
C[ti] -An C[t 2 ] -An ■ ■ ■ where in both cases none of the terms is in G. Therefore 
we concentrate on the particular case of top rewrite systems in which there is a 
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designated symbol top. (These TRSs can be regarded as special forms of typed 
rewrite systems [11].) 

Definition 5 (Top Rewrite System). Let S be a signature and let top ^ S 
be a new unary function symbol. A term t € T(T'U {top}, V) is a top term if 
its root is top and top does not occur below the root. Let 7top denote the set of 
all ground top terms. A TRS R over the signature E U {top} is a top rewrite 
system iff for all rules I ^ r G R either 

— I and r are top terms (in this case, we speak of a top rule} or 

— I and r do not contain the symbol top (then we have a non-top rule} 

Top rewrite systems typically suffice to model networks of processes, since the 
whole network is represented by a top term [6]. Clearly, in top rewrite systems, 
top terms can only be reduced to top terms again. In such systems we consider 
liveness properties Live(7top, — G). So we want to prove that every maximal 
reduction of ground top terms contains a term without an instance of p. 

Example 6 (Simple liveness example). Consider the following two-rule TRS R. 

top(c) — ^ top(c) f{x) -G X 

Clearly, R is not terminating and we even have infinite reductions within Ttop^ 

top(f(f(c))) -Gr top(f(c)) -^R top(c) -Gr top(c) -Gr ... 

However, in every reduction one eventually reaches a term without f. Hence, if 
p = f(a:), then the liveness property is fulfilled for all ground top terms. Note 
that for E = {c,f}, we have NF(7top) = 0 and thus, NF(7top) C G. Hence, by 
Thm. 4 it is sufficient to verify that -^g is terminating on 7top- Indeed, the above 
reduction is not possible with -Gq, since top(c) is a normal form w.r.t. -G-q. 

4 Liveness and Termination 

In this section we investigate the correspondence between liveness and termina- 
tion in the framework of term rewriting. As in the previous section, we consider 
liveness properties Live(?top 7 G) for top rewrite systems R where G consists 
of those terms that do not contain instances of some subterm p. Provided that 
NF(7top) C G, by Thm. 4 the liveness property is equivalent to SN(7top, — >-g)- 
Our aim is to prove termination of -G-q on 7top by means of termination of 
TRSs. In this way one can use all existing techniques for termination proofs of 
term rewrite systems (including future developments) in order to prove liveness 
properties. A first step into this direction was taken in [6], where the termination 
proof technique of dependency pairs was used to verify certain liveness properties 
of telecommunication processes. However, now our aim is to develop an approach 
to connect liveness and termination in general. 

Given a TRS R and a term p, we define a TRS L{R,p) such that L{R,p) 
terminates (on all terms) if and only if SN (Ttopj ~^g)- A transformation where the 




Liveness in Rewriting 325 



‘only if’-direction holds is called sound and if the ‘if’-direction holds, it is called 
complete. The existence of the sound and complete transformation L{R,p) shows 
that for rewrite relations, liveness and termination are essentially equivalent. 

The construction of L{R,p) is motivated by an existing transformation [7,8] 
which was developed for a completely different purpose (termination of context- 
sensitive rewriting) . We introduce a number of new function symbols resulting in 
an extended signature Sq- Here, proper(t) checks whether t is a ground term over 
the original signature S (Lemma 9) and match (p,t) checks in addition whether 
p matches t (Lemma 10). In this case, proper(t) and match(p, t) reduce to ok(t). 
To ease the formulation of the match-rules, we restrict ourselves to linear terms 
p, i.e., a variable occurs at most once in p. Moreover, for every variable x in p 
we introduce a fresh constant denoted by the corresponding upper-case letter X. 
We write p for the ground term obtained by replacing every variable in p by its 
corresponding fresh constant and in this way, it suffices to handle ground terms 
p in the match-rules. The new symbol check investigates whether its argument 
is a ground term over S which contains an instance of p (Lemma 11). In this 
case, check(t) reduces to found(t) and to find the instance of p, check may be 
propagated downwards through the term until one reaches the instance of p. 

Finally, active(t) denotes that t may be reduced, since it contains an instance 
of p. Therefore, active may be propagated downwards to any desired redex of 
the term. After the reduction step, active is replaced by mark which is then 
propagated upwards to the top of the term. Now one checks whether the resulting 
term still contains an instance of p and none of the newly introduced function 
symbols. To this end, mark is replaced by check. If an instance of p is found, 
check is turned into found and found is propagated to the top of the term where 
it is replaced by active again. The TRS L{R,p) has been designed in such a 
way that infinite reductions are only possible if this process is repeated infinitely 
often and Lemmata 12-14 investigate L{R,p)’s behavior formally. 

Definition 7 (L{R,p)). Let R be a top rewrite system over AUltop} with top ^ 
X and let p G T{S,V) be linear. The TRS L{R,p) over the signature Sq = SU 
{top, match, active, mark, check, proper, start, found, ok} U {A I x G V(p)| consists 
of the following rules for all non-top rules I ^ r G R, all top rules top(t) -G 
top(u) G R, all f G X of arity n > 0 and 1 < z < n, and all constants c G Xq: 

active(l) — >■ mark(r) 
top(active(t)) — >■ top(mark(M)) 

top(mark(a;)) — > top(check(a;)) (1) 

check(/(a:i, ..,Xn)) — > /(proper(a;i), .., check(a:i), .., proper(a;„)) 
check(a;) — >■ start(match(p, a:)) 

match(/(a;i,..,a:„),/(j/i,..,y„)) /(match(xi, i/i), .., match(a;„, ?/„)), if f G X{p) 
match(c, c) ok(c), if c G X[p) 

match(c, a;) proper(a;), if c ^ X and c G X{p) 

proper(c) — >■ ok(c), if cG X 

proper(/(a;i, . . . ,a;„)) /(proper(a;i), . . . , proper(a;„)) 

/(ok(a;i), . . . ,ok(a;„)) -5> ok(/(a;i, . . . , a:„)) 
start(ok(a;)) — >■ found(a;) 

/(ok(a;i), .., found(a;i), .., ok(a;„)) -> found(/(a:i, .., a;„)) 
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top(found(a;)) top(active(a;)) (2) 

active(/(a;i , . . . Xn)) . . , active(xi): • • • : x„) 

f(xi, , mark(a:i)> • • • ,®n) mark(/(a:i, . . . , Xn}) 



Example 8 (Transformation of simple liveness example). Recall the TRS from 
Ex. 6 again. Here, the transformation yields the following TRS L{R,p). 



active(f(a;)) — ^ mark(a;) 
top(active(c)) — > top(mark(c)) 
top(mark(a;)) — > top(check(a;)) 
check(f(x)) — !■ f(check(x)) 

check(x) — >■ start(match(f (X), x)) 
match(f(x),f(y)) f (match(x, j/)) 
match(X, x) -5- proper(x) 



proper(c) — ^ ok(c) 
proper(f(x)) f(proper(x)) 
f(ok(x)) — ^ ok(f(x)) 
start(ok(x)) found(x) 
f(found(x)) found(f(x)) 
top(found(x)) — ^ top(active(x)) 
active(f(x)) — f(active(x)) 
f(mark(x)) — > mark(f(x)) 



Note that it is really necessary to introduce the symbol proper and to check 
whether the whole term does not contain any new symbols from Sq \ S. If 
the proper-rules were removed, all remaining proper-terms were replaced by their 
arguments, and in /(ok(xi), . . . , found(xj), . . . , ok(x„)) — >■ found(/(xi, . . . , x„)), 
the terms ok(xi) were replaced by Xi, then the transformation would not be 
complete any more. As a counterexample, regard S = {a, b,f} and the TRS 



top(f(b,x,y)) ^ top{f{y,y,y)) 
top(f (x, y, z)) top(f(b, b, b)) 
top(a) — > top(b) 



and let p = a. The TRS satisfies the liveness property since for any ground top 
term, after at most two steps one reaches a term without a (one obtains either 
top(b) or top(f (b, b, b))). However, with the modified transformation we would 
get the following non-terminating cyclic reduction where u is the term found(b): 

top(mark(f('u, u, u))) top(check(f (u, rt, m))) — >• 

top(f(M, check('u), u)) — ^ top(found(f (b, check('u), m))) — >■ 

top(active(f(b,check(M),'u))) top(mark(f(M, m, m))) —>■... 

To prove soundness and completeness of our transformation, we need several 
auxiliary lemmata about reductions with L{R,p). The first lemma states that 
proper really checks whether its argument does not contain symbols from Eg\E. 

Lemma 9 (Reducing proper). Fort G T{Sg) we have proper(t) ok(w) 

if and only ift,uG T{E) and t = u. 

Proof. The proof is identical to the one in [7, Lemma 2] and [8] . □ 

Now we show that match(p, t) checks whether p matches t and t G T{E). 
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Lemma 10 (Reducing match). Let p £ T(L’, V), let q G T{LJ{p),V) be linear, 
and let t G T{Sg)- We have match (g,t) — ok(w) iff t = u £ T{S) and 
qa = t for some a. 

Proof. The ‘if’-direction is an easy induction on the structure of the term t, see 
[9]. The ‘only if’-direction is proved by induction on the length of the reduction. 
If the first reduction step is in t, then match(< 7 , t) -£l(r,p) match(g, t') — 
ok('u) for a term t' with t -£l(r,p) t' ■ The induction hypothesis states t' = u £ 
T{S) and qa = t' . Note that t' £ T{LJ) implies t = t' which proves the lemma. 

Otherwise, the first reduction step is on the root position (since q is in 
normal form). If g is a variable, then q obviously matches t and we obtain 
match (g,t) -£l(r,p) proper(t) — ok(u) and t = u £ T{S) by Lemma 9. 
If g is a constant c, then a root reduction is only possible if t = c. We obtain 
match(g, t) = match(g, c) -£l(r,p) ok(c). So in this case the lemma also holds. 

Finally, if g = /(gi, . . . , gn), for a root reduction we have t = /(fi, . . . , f«). 
Then match(g,t) = match(/(^, . . . , ^), /(ti, . . . , f„)) = /(match(^, ti), . . . , 
match(^,t„)) — ok(u). To reduce /(...) to ok(...), all arguments of / 

must reduce to ok-terms. Hence, match(<^, ti) — ok(ui) for all i where 
these reductions are shorter than the reduction match (g,t) — ok(rt). The 
induction hypothesis implies ti = Ui £ T{S) and that there are substitutions 
ai with q^ai = ti. Since g is linear, we can combine these Ui to one cr such that 
qa = t. Moreover, this implies u = f{ui , . . . , u„) which proves the lemma. □ 

Based on the previous two lemmata, one can show that check works properly, 
i.e., it checks whether its argument is a term from 'T(S) containing an instance 
of p. The proof is similar to the one of Lemma 10 and can be found in [9]. 

Lemma 11 (Reducing check). Let p £ ff(S,V) he linear and t £ T{Sg). We 
have check(t) — found(u) iff t = u £ T{S) and t contains a subterm pa. 

Lemma 12 shows that the top-rules (1), (2) are applied in an alternating way. 

Lemma 12 (Reducing active and check). For all t,u £ T{Sg) we have 

(a) active(t) found('u) and active(t) ok(u) 

(b) check(t) mark(w) and proper(t) mark(u) 

Proof. For (a), by induction on n G IN, we show that there is no reduction 
from active(t) to found(u) or to ok(u) of length n. If the first reduction step 
is in t, then the claim follows from the induction hypothesis. Otherwise, the 
reduction starts with a root step. This first step cannot be active(t) -£l{r,p) 
mark(u), since the root symbol mark can never be reduced again. Hence, we must 
have t = f{ti, ...,U,...,tn) and active(t) = active(/(ti, . ..,ti ,.. . ,t„)) ~^l(r,p) 
f{ti , . . . , active(ti), . . . , t„). In order to rewrite this term to a found- or ok-term, 
in particular active(ti) must be rewritten to a found- or ok-term which contradicts 
the induction hypothesis. For the (similar) proof of (b), we refer to [9]. □ 
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We now prove that the top-rules are crucial for L(i?,p)’s termination behavior. 

Lemma 13. Let L'{R,p) = L{R,p) \ {(1), (2)}. Then L'{R,p) is terminating. 

Proof. Termination of L'{R,p) can be proved by the recursive path order [5] 
using the precedence active > check > match > proper > start > / > ok > 
found > mark for all / G LI U {X \ x G V{p)}. □ 

Before relating L{R,p) and we study the connection of L{R,p) and 

Lemma 14. Let t,u £ T{X). Then we have active(t) — mark(M) iff 
t u and top(active(t)) — top(mark(M)) iff top (t) top(u). 

Proof. The ‘if’-direction is easy by induction on t. For the ‘only if’-direction, we 
prove that active(t) — >■ p) mark(u) implies t u by induction on the length 

of the reduction. The proof that top(active(t)) — top(mark(M)) implies 
top(t) top(r() is analogous [9]. Since t G T{S), the first reduction step must 
be on the root position. If active(t) mark(u) on root position, then t = la 

and u = ra for a rule I ^ r £ R and thus, t u. Otherwise, t = f{t \, . . . , t„) 
and active(t) = active(/(ti, . . . , t„)) -£-l(r,p) f{ti, ■■■, active(ti), . . . , t„) -^t(R.p) 
mark(u). Thus, active(ti) — mark(ui) and u = f{ti, . . . ,m, . . . ,tn). The 
induction hypothesis implies U ^RUi and hence, t u. □ 

Theorem 15 (Soundness and Completeness). Let R be a top rewrite sys- 
tem over L7U{top} with top ^ S and letp G T(L7, V) he linear. The TRS L{R,p) 
is terminating (on all terms) iff the relation -£g is terminating on 7top- 

Proof. We first show the ‘only if’-direction. If does not terminate on 7top 
then there is an infinite reduction top(fi) -£-g top(t 2 ) ~^g ■ ■ ■ where ti,t 2 , . . . £ 
T(L7). By Lemma 14 we have top(active(ti)) — top(mark(ti+i)). Lemma 

II implies check(fi+i) found(fi_|_i), since each ti+i contains an instance 

of p. So we obtain the following contradiction to the termination of L(R,p). 

top(active(fi)) -^t(R,p) top(mark(t 2 )) -^l(r,p) top(check(f 2 )) -^t(R,p) 

top(found(t 2 )) -^L(R,p) top(active(0)) -^t(R,p) ■ ■ ■ 

For the ‘if’-direction assume that L{R,p) is not terminating. By type in- 
troduction [11] one can show that there exists an infinite L(i?,p)-reduction of 
ground top terms. Due to Lemma 13 the reduction contains infinitely many ap- 
plications of the rules (1) and (2). These rules must be applied in alternating 
order, since active(t) can never reduce to found(u) and check(t) can never reduce 
to mark(u) by Lemma 12. So the reduction has the following form where all 
reductions with the rules (1) and (2) are displayed. 

^z,(fi,p) top(mark(ti)) top(check(fi)) 

top(found(ui)) -^L(R,p) top(active(ui)) ~^t{R,p) 
top(mark(f 2 )) -^l(r,p) top(check(t 2 )) ~^t{R,p) 
top(found(u 2 )) ^L(R,p) top(active(u 2 )) ^t(R,p) ■ ■ ■ 




Liveness in Rewriting 329 



By Lemma 11 we have ti = Ui G T{S) and that ti contains an instance of 
p. Lemma 14 implies top('Ui) -Gr top(ti+i). Together, we obtain top(ti) -Gq 
top(t 2 ) ~^G • • ■ in contradiction to the termination of -Gq on 7top- □ 

By Thm. 15, one can now use existing techniques for termination proofs of 
TRSs to verify liveness of systems like Ex. 6. For instance, termination of the 
transformed TRS from Ex. 8 is easy to show with dependency pairs [2], cf. [9]. 

5 Proving Liveness 

In Sect. 5.1 we present a sound transformation which is more suitable for mecha- 
nizing liveness proofs than the complete transformation from Sect. 4. The reason 
is that for this new transformation, termination of the transformed TRS is much 
easier to show. On the other hand, the approach in this section is incomplete, 
i.e., it cannot succeed for all examples. Subsequently, in Sect. 5.2 we introduce an 
automatic preprocessing technique based on semantic labelling [12] to simplify 
these termination proofs further. In this way, rewriting techniques can be used 
to mechanize the verification of liveness properties. To illustrate the use of our 
approach, in Sect. 5.3 we show how to verify liveness properties of a network of 
processes with a shared resource and of a token ring protocol. 



5.1 A Sound Transformation for Liveness 

To obtain a simple sound transformation, the idea is to introduce only one new 
symbol check. A new occurrence of check is created in every application of a top 
rule. If check finds an instantiation of p then check may be removed. Otherwise, 
check remains in the term where it may block further reductions. 

Definition 16 (LS{R,p)). For a top rewrite system R over E U {top} with 
top ^ E and p G T{E,V), let LS{R,p) consist of the following rules. 

I — r for all non-top rules I ^ r in R 

top(t) — > top(check(w)) for all top rules top(t) — >• top(w) 

check(/(a;i, ..,x„)) -)> f{xi, .., check(xi), ..,Xn) for f gE of arity n>l, i = 1, ..,n 
check(p) — >• p 



Example 17 (Simple example revisited). To illustrate the transformation, recon- 
sider the system from Ex. 6. Here, LS{RJ{x)) is the following TRS whose ter- 
mination can be proved by dependency pairs and the recursive path order. 

top(c) — >■ top(check(c)) (3) check(f(a;)) — >■ f(check(a:)) (5) 

f(a;) — >■ X (4) check(f(a;)) — >■ f{x) (6) 

Now we show that this transformation is indeed sound. In other words, the 
above termination proof verifies the liveness property of our example. 
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Theorem 18 (Soundness). Let R be a top rewrite system over 17 U {top} with 
top ^ S, let p G T{S,V), and let G = {t\t does not contain an instance ofp}. 
If LS{R,p) is terminating then there is no infinite -^g -' reduction of top terms. 

Proof. Assume there is an infinite — >-G-reduction of top terms top(ti) -^g top(t 2 ) 
-^G ■ ■ ■ Since top does not occur in p, every ti has the form Cfipai] for some con- 
text Ci and substitution at. To prove the theorem, we show that top(ti) — 
top(ti_|_i) for every i, by which we obtain an infinite L5'(i?,p)-reduction. 

If top(ti) — top(fi_|_i) by the application of a non-top rule I — >■ r then we 
also have top(ti) ~^ls{r,p) top(^i-i-i) since I ^ r is also contained in LS{R,p). 
Otherwise, top(fi) top(fi_|_i) by a top rule top(t) — >• top(r(). Hence, ti = ta 
and ti+i = ua for some a. Since LS{R,p) contains the rules check(/(xi, . . . , Xn)) 
— >■ f{xi, . . . ,check(a;i), . . . ,cc„) for all / with arity > 1, we obtain 

top(ti) = top(tcr) ~^ls{r,p) top(check(Mcr)) = top(check(C'i+i [per r+lD) 

~^ls(R,p) top(Ci+i [check(p)cTi+i]) 

top(C'i+i[p(Ji+i]) =top(tj+i) □ 

Example 19 (Sound transformation is not complete). However, this transforma- 
tion is incomplete as can be shown by the following top rewrite system R 

top(f(x, b)) — ^ top(f(b, b)) a — ^ b 

where S = {a, b,f| and p = a. In this example, normal forms do not contain a 
any more and every infinite reduction of top terms reaches the term top(f(b, b)) 
which does not contain the symbol a either. Hence, the liveness property holds. 
However, LS{R,p) admits the following infinite reduction: 

top(f (b, b)) — > top(check(f(b, b))) — ^ top(f (check(b), b)) — ^ top(check(f (b, b))) 

Thus, the transformation of Def. 16 is incomplete, because even if check remains 
in a term, this does not necessarily block further (infinite) reductions. 

5.2 A Preprocessing Procedure for Verifying Liveness 

The aim of our sound transformation from Def. 16 is to simplify (and possibly 
automate) the termination proofs which are required in order to show liveness 
properties. Since the TRSs resulting from our transformation have a particular 
form, we now present a method to preprocess such TRSs. This preprocessing 
is especially designed for this form of TRSs and in this way, their termination 
proofs can often be simplified significantly. The method consists of four steps 
which can be performed automatically: 

(a) First one deletes rules which cannot cause non-termination. 

(b) Then one applies the well-known transformation technique of semantic la- 
belling [12] with a particularly chosen model and labelling. (This restricted 
form of semantic labelling can be done automatically.) 
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(c) Then one again deletes rules which cannot cause non-termination. 

(d) Finally one uses an existing automatic technique (e.g., the recursive path 
order or dependency pairs) to prove termination of the resulting TRS. 

To delete rules in Step (a) and (c) we use the following lemma. For a function 
symbol f € S and a term t £ T(T',V), let #f(t) be the number of /-symbols 
occurring in t. For 0 ^ U' C S let #s'(t) = J2fes' 

Lemma 20. Let R be a TRS such that 

— R is non-duplicating, i.e., for every rule I ^ r, no variable occurs more 
often in r than in I, and 

— ffs>{l) > ffs'{r) for all rules I ^ r in R 

for some S' C S. Let R' consist of those rules I — >■ r from R which satisfy 
> ffs'{r). Then R is terminating if and only if R\R' is terminating. 

Proof. The ‘only if’-part holds since R \ R' C R. For the ‘if’-part assume that 
R \ R' is terminating and that we have an infinite i?-reduction. Due to the 
conditions of the lemma we have ffs'{f) > ffs'{u) for every step t u and 
#s'{t) > #E'{u) for every step t u. Hence, due to well-foundedness of the 
natural numbers, the infinite i?-reduction contains only finitely many i?'-steps. 
After removing the finite initial part containing all these i?'-steps, the remaining 
part is an infinite R \ i?'-reduction, which gives a contradiction. □ 

The application of Lemma 20 is easily automated as follows: for all sets S' C 
S with \S'\ < n for some (small) n G IN, it is checked whether ffs'{l) > #s'{r) 
for all rules I — >■ r. If so, then all rules I — >■ r satisfying ffs'{l) > ffs'i’r) are 
removed. This process is repeated until no rule can be removed any more. 

As a first example, we apply Lemma 20 to the TRS from Ex. 17. By counting 
the occurrences of f, we note that the number of f-symbols strictly decreases in 
Rule (4) and it remains the same in all other rules. Hence, due to Lemma 20 we 
can drop this rule when proving termination of the TRS. It turns out that in 
this case repetition of this process does not succeed in removing more rules. 

In our termination procedure, in Step (b) we apply a particular instance of 
semantic labelling [12]. Before describing this instance we briefly explain how 
semantic labelling works as a tool to prove termination of a TRS R over the 
signature S-. One starts by choosing a model for the TRS R. Thus, one defines 
a non-empty carrier set M and for every function symbol f £ S oi arity n, an 
interpretation /m : Af" M is chosen. As usual, every variable assignment 
a : V ^ M can be extended to terms from 7^(A', V) by inductively defining 
a(/(ti, . . . ,t„)) = /m(q:(^i)) • ■ • ,oc{tn))- The interpretation is a model for R if 
a{l) = a(r) for every rule / — >■ r in i? and every variable assignment a : V — >■ M . 

Using this model, the TRS R over the signature S is transformed into a 
labelled TRS R over the labelled signature S. Here, every function symbol f £ S 
of arity n may be labelled by n elements from M, i.e., S = {/oi,...,a„ | / G S,n = 
arity(/), Oj £ M} where the arity of /ai,...,a„ is the same as the arity of /. For any 
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variable assignment a : V — >■ M, we define a function labo, : T{S, V) — >■ T{S, V) 
which labels every function symbol by the interpretations of its arguments: 

labQ,(a;) = x, for cc G V 

labQ,(y*(ti, . . . ytji)) = (^l); • ■ • j l3bQ(t^)) 

Now the TRS R is defined to consist of all rules laba(/) — ^ laba(r) for all variable 
assignments a : V ^ M and all rules I ^ r in R. The main theorem of semantic 
labelling states that R is terminating if and only if R is terminating. 

In general, semantic labelling permits a lot of freedom and is hard to auto- 
mate, since one may choose arbitrary models. Moreover, in full semantic labelling 
one may also use arbitrary labellings. However, we will restrict ourselves to the 
case where M = {0, 1}. Now there are only finitely many possibilities for the 
interpretations /m in the model. This means that with this restriction the ter- 
mination method consisting of the steps (a) - (d) is fully decidable. 

To improve efficiency and to avoid checking all possibilities of a two-element 
model for semantic labelling, we now propose heuristics for choosing the inter- 
pretations /m in such a model. These heuristics are adapted to the special form 
of TRSs resulting from our transformation in Def. 16 when verifying liveness 
properties. The main objective is that we want to distinguish between terms 
that contain instances of p and terms that do not. Therefore, our aim is to in- 
terpret the former terms by 0 and the latter terms by 1. Since the intention of 
check is that an occurrence of p should be found, check(x) will be interpreted 
as the constant function 0. Since top only occurs at the top, for top(a:) we may 
also choose a constant function. Having these objectives in mind, we arrive at 
the following heuristic for choosing the operations /m in the model M = {0, 1}: 

— top^(x) = checkM(a:) = fnixi , . . . , x„) = 0 for x = 0, 1, where / is the root 
symbol of p; 

— Cm = 1 for every constant c, except if p = c; 

— fM{x \, . . . , Xn) = min(a;i, . . . , Xn) for all other symbols / as long as this does 
not conflict with the model requirement a{l) = a(r). In particular, for the 
remaining unary symbols / one tries to choose fnix) = x. 

Applying these heuristics to our example results in the following interpretation: 

topjv^(a;) = checkM(a:) = ^m{x) = 0 for x G M = {0, 1} and Cm = 1 

One checks that this is a model for the TRS. Here it is essential that we first 
removed Rule (4) , since Im (a^) = 0 yf x if x = 1 . The labelling results in the TRS 

topj(c) — ^ topg(checki(c)) 
checko(fi(x)) — > fo(checki(x)) for i G {0, 1} 

checko(fi(x)) — >■ fj(x) for i G {0, 1} 

In Step (c) of our termination procedure, we apply Lemma 20 again. By 
counting the occurrences of topj^, we can drop the first rule. By counting fi, 
the second rule can be removed if i is 1, and by counting checkg we can delete 
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the third rule. So the remaining TRS just contains the rule checko(fo(a;)) — >■ 
fo(checko(x)) whose termination is trivial to prove by the recursive path order. 

This example indicates that preprocessing a TRS according to Steps (a) - 
(c) often simplifies the termination proof considerably. For the original TRS of 
Ex. 17, one needs dependency pairs for the termination proof, whereas after the 
transformation a very simple recursive path order is sufficient. 



5.3 Two Case Studies of Liveness 

To demonstrate the applicability of our approach, we regard two case studies. 
The first one is motivated by verification problems of protocols similar to the 
bakery protocol [10]. We describe a network of processes which want to gain access 
to a shared resource. The processes waiting for the resource are served one after 
another. Since the maximal size of the waiting line is fixed, a new process can 
only enter the waiting line if a process in the current line has been “served” 
(i.e., if it has been granted access to the resource). The maximal length n of the 
waiting line is arbitrary, and we will show that the liveness property holds for all 
n G IN. Hence, techniques like classical model checking are not applicable here. 

The processes in the line are served on a “first in - first out” basis (this 
corresponds to the serving of clients in a shop) . So at the front end of the waiting 
line, a process may be served, where serving is denoted by a constant serve. If a 
process is served, its place in the line is replaced by a free place, denoted by free. 
If the place in front of some process is free, this process may take the free place, 
creating a free place on its original position. If the line has a free place at its back 
end, a new process new may enter the waiting line, taking over the position of 
the free place. Apart from new processes represented by new we also consider old 
processes represented by old, which were already in the line initially. We want 
to verify the liveness property that eventually all old processes will be served. 
To model protocols with TRSs, we represent the state of the whole network by 
a top term. Introducing the symbol top at the back end of the waiting line, this 
network is described by the following top rewrite system R: 

top(free(x)) top(new(x)) new(serve) free(serve) 

new(free(x)) — !► free(new(a;)) old(serve) free(serve) 

old(free(x)) — > free(old(x)) 

Note that the above TRS admits infinite reductions of top terms. For instance, 

top(new(serve)) top(free(serve)) — top(new(serve)) — . . . 

describes that the protocol for serving processes and for letting new processes en- 
ter may go on forever. But we will prove that after finitely many steps one reaches 
a term without the symbol old, i.e., eventually all old processes are served. In 
our terminology this liveness property is represented by Live(7top, ~^r, G) where 
G = {t\t does not contain an instance of old (a;)}. Note that this liveness prop- 
erty does not hold for various variations of this system. For instance, if processes 
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are allowed to swap by new(old(x)) old(new(a;)), or if new processes are always 
allowed to line up by top(x) — >■ top(new(a;)), then liveness is destroyed. 

Since top(serve) is the only ground top term that is in normal form, we 
conclude that NF(7top) C G. Hence by Thm. 4 the required liveness property is 
equivalent to SN(7top, ~^ g )- To prove this termination property of according 
to Thm. 18 we may prove termination of the TRS LS{R,p): 



top(free(x)) — >■ top(check(new(a;))) (7) 
new(free(x)) — ^ free(new(x)) (8) 

old(serve) - 5 - free(serve) (11) 
check (free (x)) free(check(a:))(12) 

check(new(a;)) — ^ new(check(a;))(13) 



old(free(a;)) — >■ free(old(a:)) (9) 
new(serve) — ^ free(serve) (10) 

check(old(a;)) — > old(check(cc)) (14) 
check(old(a;)) — ^ old(a;) (15) 



While standard techniques for automated termination proofs of TRSs do not 
succeed for this TRS, with the preprocessing steps (a) - (c) termination can 
easily be shown automatically. 

According to (a), we first delete rules which do not influence termination. By 
counting the occurrences of old, with Lemma 20 we can remove Rule (11). Then 
in Step (b), we apply the heuristics for semantic labelling and arrive at 

topj^^(x) = checkM(a;) = oldM(a;) = 0, newM^x) = freeM^x) = x, serve^ = 1 

for X G M = {0,1}. Indeed this is a model for the TRS. For that purpose, we 
had to remove Rule (11) since oldM(serveM) = 0 yf 1 = freeM(serveM). The 
corresponding labelled TRS R is 

topj(freei(®)) — >-topQ(checki(newi(x))) (7i) checki(freei(a;)) — >■ freeo(checki(a;)) (12i) 

newi(freei(a;)) — >■ freei(newi(a:)) (8i) checki(newi(®)) — >■ newo(checki(a:)) (13i) 

oldi(freei(x)) — >-freeo(oldi(a;)) (9i) checko(oldi(®)) — >• oldo(checki(x)) (14i) 

newi (serve) —>■ freei (serve) (10) checko(oldi(®)) — >■ oldi(x), (15i) 

for i G {0, 1}. It remains to prove termination of this TRS of 15 rules. According 
to Step (c) we repeatedly apply Lemma 20. By consecutively choosing S' = {/} 
for / being top^, oldi, newi, freei, freeg, and checkp, the rules (7i), (14i), (10) and 
(13i), (9i) and (12i), (7q), and finally (15o) and (15i) are removed. Termination 
of the remaining system consisting of the rules (8q), (8i), (9q), (12o), (13o), and 
(14q) is easily proved by the recursive path order, using a precedence satisfying 
checko > oldo > freeo, checkp > newp > freep, and newi > freei. Hence, the 
liveness property of this example can be proved automatically. 

As a second case study we consider the following protocol on a ring of pro- 
cesses (similar to a token ring protocol). Every process is in one of the three 
states sent, rec (received), or no (nothing). Initially at least one of the processes 
is in state rec which means that it has received a message (token). Now the 
protocol is defined as follows: 

If a process is in state rec then it may send its message to its right 
neighbor which then will be in state rec, while the process itself then will 
be in state sent. 
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Clearly, at least one process will always be in state rec, and this procedure can 
go on forever; we will prove that eventually no process will be in state no. This 
means that eventually all processes have received the message; a typical liveness 
property to be proved. The requirement NF(/) C G and in fact NF(/) = 0 (for 
I consisting of all configurations containing rec) is easily seen to hold on the 
protocol level. According to Thm. 4, for proving the desired liveness property it 
suffices to show SN(/, -^g)- The protocol is encoded by unary symbols sent, rec, 
and no, where the right neighbor of each of these symbols corresponds to the 
root of its argument. To obtain a ring topology we add a unary symbol top and 
a constant bot. For a symbol with the argument bot, its right neighbor is defined 
to be the symbol just below top. So again the state of the whole ring network is 
represented by a top-term top(/i(. . . (/„(bot)) ...)). Here the size n of the ring 
is arbitrary. In order to pass messages from the bot-process n to the top-process 
1, an auxiliary unary symbol up is introduced. 

rec(rec(a:)) — > sent(rec(a;)) (16) sent(up(x)) ^ up(sent(a:)) (21) 

rec(sent(a:)) — ^ sent(rec(a;)) (17) no(up(x)) — ^ up(no(a;)) (22) 

rec(no(a;)) — sent(rec(a;)) (18) top(rec(up(x))) — ^ top(rec(x)) (23) 

rec(bot) — ^ up(sent(bot)) (19) top(sent(up(x))) — ^ top(rec(cc)) (24) 

rec(up(a;)) — ^ up(rec(x)) (20) top(no(up(x))) — ^ top(rec(cc)) (25) 

Now we prove that every infinite top reduction reaches a term without no, prov- 
ing the desired liveness property. Applying Thm. 18 for p = no(x), this can be 
done by proving termination of LS{R,p), which consists of Rules (16) - (22) and 

top(rec(up(x))) — >■ top(check(rec(®))) (23a) check(sent(®)) — >■ sent(check(a;)) (27) 

top(sent(up(x))) — >■ top(check(rec(®))) (24a) check(rec(®)) — >■ rec(check(®)) (28) 

top(no(up(a;))) — > top(check(rec(a:))) (25a) check(no(a:)) — >■ no(check(a:)) (29) 

check(up(a;)) — up(check(®)) (26) check(no(a;)) — > no(x) (30) 

Termination is easily proved completely automatically according to our heuris- 
tics: by respectively choosing S' to be {no} and {rec, up} in Lemma 20, the rules 
(16), (18), (23a), and (25a) can be removed. After applying labelling according to 
our heuristics a TRS is obtained for which termination is proved automatically 
by applying Lemma 20 and the recursive path order, cf. [9]. 

6 Conclusion and Further Research 

We showed how to relate liveness and termination of TRSs and presented a sound 
and complete transformation such that liveness holds iff the transformed TRS 
is terminating. By a simpler sound transformation and by refining termination 
techniques for TRSs we developed an approach to verify liveness mechanically. 

Our results can be refined in several ways. For instance, instead of one unary 
top symbol one can regard several top symbols of arbitrary arity and one can 
extend the framework to liveness w.r.t. several terms pi, . . . ,pn instead of just 
one p. Such refinements and further examples of liveness properties verified by 
our method can be found in [9]. For example, we show liveness in a network with 
several waiting lines of processes which want to gain access to a shared resource. 
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This problem is considerably more difficult than the waiting line protocol in 
Sect. 5.3, since liveness only holds if the lines are synchronized in a suitable way. 
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Abstract. The bytecode verifier (BCV), which performs a static anal- 
ysis to reject potentially insecure programs, is a key security function 
of the Java(Card) platform. Over the last few years there have been 
numerous projects to prove formally the correctness of bytecode verifica- 
tion, but relatively little effort has been made to provide methodologies, 
techniques and tools that help such formalisations. In earlier work, we de- 
velop a methodology and a specification environment featuring a neutral 
mathematical language based on conditional rewriting, that considerably 
reduce the cost of specifying virtual machines. 

In this work, we show that such a neutral mathematical language based 
on conditional rewriting is also beneficial for performing automatic ver- 
ifications on the specifications, and illustrate in particular how implicit 
induction techniques can be used for the validation of the Java(Card) 
Platform. More precisely, we report on the use of SPIKE, a first-order 
theorem prover based on implicit induction, to establish the correctness 
of the BCV. The results are encouraging, as many of the intermediate 
lemmas required to prove the BCV correct can be proved with SPIKE. 



1 Introduction 

Virtual machines, such as the Java(Card) Virtual Machine, provide a means to 
ensure security of mobile code, because the virtual machine controls the inter- 
action between the applet and its environment and hence reduces the risk of 
malicious applets performing a security attack. Furthermore, such architectures 
rely on several mechanisms, known as security functions. A crucial such security 
function of the Java(Card) architecture is the bytecode verifier which performs 
a static analysis on programs and rejects potentially insecure programs. 

Over the last few years there have been numerous projects to specify such 
virtual machines and their bytecode verifiers, and to prove the correctness of 
bytecode verification. While several projects have been very successful in their 
work, such endeavours are labour-intensive and suffer from the lack of adequate 
tool support, see Section 5.1. Our line of work is precisely to develop method- 
ologies, techniques and tools that reduce the cost of developing and maintaining 
such formalisations. 
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CertiCartes In early work [5,4], we have developed a robust methodology to 
validate bytecode verifiers. The methodology consists in defining three vir- 
tual machines: 

— a reference, so-called defensive, virtual machine where values are tagged 
by their type and where typing information is verified at run-time; 

— an abstract virtual machine that manipulates types and that is used for 
bytecode verification; 

— a “standard”, so-called offensive, virtual machine, where values are un- 
typed, and which relies on successful bytecode verification to eliminate 
type verification at run-time. 

The advantages of our methodology is three-fold: 

1. the offensive and abstract virtual machines can be derived from the de- 
fensive virtual machine using abstraction techniques; 

2. the correctness of bytecode verification is now crisply stated as: “the 
offensive and defensive virtual machines coincide on those programs that 
pass bytecode verification”; 

3. the correctness of bytecode verification follows from the correctness of 
the abstractions of the defensive virtual machine into an offensive and an 
abstract virtual machine respectively, and from a generic development 
that establishes the correctness of the derivation of the bytecode verifier 
from the abstract virtual machine — the development is presented in [18] 
and further refined in [2,15]. 

Jakarta In previous work [1,3], we argue that a neutral mathematical language 
is beneficial for performing automatic transformations on the specifications. 
Further, we introduce the Jakarta Specification Language (JSL), a simple 
typed specification language based on conditional rewriting, and the Jakarta 
Transformation Kit (JTK), an abstraction engine which constructs an offen- 
sive and an abstract virtual machine from the defensive virtual machine. The 
results with the JTK are encouraging, as it automates to a large extent the 
derivation of the offensive and abstract virtual machine; indeed, user inter- 
action is limited to abstraction scripts that contain information on how the 
abstractions are to be constructed, and that are typically 10 times shorter 
than the latter. 

SPIKE In this work, we show that the choice of a neutral mathematical lan- 
guage based on conditional rewriting is also beneficial for performing au- 
tomatic verifications on the specifications, and illustrate in particular how 
SPIKE, a first-order theorem prover based on implicit induction techniques 
[7,20], can be used for the validation of the JavaCard Platform. Results 
are encouraging, as many of the intermediate lemmas required to prove the 
correctness of the BCV, are proved by SPIKE with very limited user inter- 
action; we return to this point in Section 5. 

The remaining of the paper is organised as follows: Section 2 provides the nec- 
essary background on CertiCartes and introduces the problem to be addressed. 
Section 3 gives a brief introduction to SPIKE, and describes the main improve- 
ments that were implemented to handle the specification and validation of vir- 
tual machines. In Section 4, we turn to the application of SPIKE for proving 
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the cross-validation of virtual machines. Finally, we conclude in Section 5 with 
related work and directions for future work. 
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ard. We would also like to thank Pierre Courtieu for useful discussions, and the 
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Project IST-2000-26328. 

2 A Primer on CertiCartes 

CertiCartes is an in-depth feasibility study in the formal verification, using the 
Coq proof assistant [12], of the JavaCard Platform — recall that JavaCard is a 
dialect of Java tailored towards programming multi-application smartcards. In a 
nutshell, CertiCartes contains formal specifications of (one-step execution of) a 
defensive, an abstract and an offensive JavaCard Virtual Machine (JCVM) and 
of the BCV, and a proof that the defensive and offensive VMs coincide on those 
programs that pass bytecode verification. 

Virtual Machines In order to formalize the semantics of the virtual machines: 

— we model programs as a triple consisting of a list of classes, a list of inter- 
faces, and a list of methods. Classes, interfaces and methods are represented 
likewise as appropriate tuples; 

— we define for each machine a notion of state: dstate which builds upon 
typed values for the defensive machine, astate which takes types as values 
for the abstract machine, and estate which builds upon untyped values 
for the offensive machine. Further, we define an associated notion of return 
states: drstate for the defensive machine, arstate for the abstract ma- 
chine, and orstate for the offensive machine, that extends states with a tag 
to account for normal/ abnormal termination, and in the case of the abstract 
machine returns lists of states to account for non-determinism; 

— we model the semantics of each JavaCard bytecode b as a function ?exec_b : 
?state — >■ rPstate, where ? ranges over d, a and o — note that in our for- 
malisation, the JCVM instruction set is factorized into 45 generic instruc- 
tions, as many instructions only differ by the type of their arguments, and 
can be factorized using a polymorphic instruction. Typically, the function 
?exec_b extracts values from the state, performs type verification on these 
values, and extends/updates the state with the results of executing the byte- 
code; 

— we model one-step execution as a function ?exec: ?state — 5>r?state 
which inspects the state to extract the JavaCard bytecode b to be executed 
and then calls the corresponding function ?exec_b. 

In order to prove the correctness of the BCV, we must prove three crucial 
properties about virtual machines: 
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dstate 



rdstate 



estate 



restate 



Fig. 1. Commutative diagram of defensive and offensive execution. 



dstate 



astate 



rdstate 

^rs2ars 

restate 



Fig. 2. Commutative diagram of defensive and abstract execution. 



— CDO: the offensive abstract virtual machine is a sound abstraction of the 
defensive virtual machine, as illustrated by the commuting (up to the absence 
of typing error in the defensive execution) diagram in Fig. 1, where s2os 
is the function mapping states to offensive states (by omitting types from 
values), and rs2ors denotes its lifting to return states; 

— CDA: the abstract virtual machine is a sound abstraction of the defensive 
virtual machine, as illustrated by the commuting (up to subtyping, as indi- 
cated by the ^ relation in the right arrow, and under suitable conditions, 
e.g. that execution does not raise an exception and keeps in the same frame) 
diagram in Fig. 2, where s2as is the function mapping states to abstract 
states (by projecting values to types), and rs2ars denotes its lifting to 
return states; 

— MON: the abstract virtual machine is monotonic w.r.t. the order induced 
by the inheritance relations on classes and interfaces. 

For each of the properties considered, the proof proceeds by a case analysis on 
the bytecode to be executed, and then by an analysis of the possible outcomes 
of execution. 

Bytecode verifier The BCV is derived by instantiating a dataflow analyser with 
the abstract JCVM, and its correctness is derived from CDO, CDA and MON, 
using a generic (i.e. independent from the specifics of the JCVM) proof that jus- 
tifies the dataflow analysis and the compositional, method- by-method, algorithm 
underlying bytecode verification, see [2,16,18]. 



3 SPIKE 

SPIKE provides an environment to verify clausal formulas in the initial model 
of many-sorted constructor-based theories presented by first-order conditional 
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rules, and hence seems to be a good candidate for proving CDA, CDO and MON. 
Nevertheless, the standard distribution of SPIKE could not be used, since its 
specification language is too restricted, and its proof engine is not sufficiently 
optimized. Below we report on a number of improvements that were undertaken 
in order to apply SPIKE to our problem. 



3.1 Specification Language 

Parameterized Specifications The JavaCard VMs specifications are based on 
an important number of parameterized datatypes and functions. In particular, 
polymorphic lists are used intensively in the memory model: for example the 
heap is described as a list of objects, and the stack as a list of frames; further, 
each frame comes up with an operand stack and a set of local variables, each of 
which is described as a list of values. However, such parameterized specifications 
are not handled by the standard version of SPIKE. In order to perform our 
case study, we had to extend the syntax, type checking and inference system of 
SPIKE to deal with parameterized specifications — a similar work is described 
in detail in [6], but had not been integrated in the standard version of SPIKE. 

Introduction of Existential Variables The axioms of standard SPIKE specifica- 
tions consist in conditional rewrite rules of the form 

/i=ri, ... jlji ~ '^n ^ 9 ^ ^ 

where all variables in conditions and d are required to occur in g. Formally, 
SPIKE requires that var(c?) C var{g) and that for 1 < t < n, var(/i) C var(g) 
and var(ri) C var(g). However, most functions defining the semantics of the 
JCVM fail to meet this requirement, as variables in the r^s are fresh. In order 
to handle the JCVM specifications, we have enhanced SPIKE with the ability 
to handle such variables, which we call existential. 

Obtaining SPIKE specifications of the JCVMs We have implemented mecha- 
nisms that may be used to compile a large class of Coq specifications to JSL 
and SPIKE, and that have been used to produce SPIKE specifications of the 
JCVMs from CertiCartes. 



3.2 Description of SPIKE’s Proof Engine 

In order to motivate and explain our extensions to SPIKE, we begin with a 
short description of its proof engine. 

Principles SPIKE’s proof method is based on Cover Set Induction which en- 
compasses different reasoning techniques, most of them based on conditional 
rewriting, case analysis and subsumption, and combines the advantages of ex- 
plicit induction and of proofs by consistency [7,20]. 
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In a nutshell, the method is parameterized by a set of axioms Ax, and pro- 
ceeds by modifying incrementally two sets of clauses, {E,H), where E con- 
tains the conjectures to be checked and H contains clauses, previously in E, 
that have been reduced. The method is modelled by means of the relation 
{E,El) > [E',H') which is described below. We say that a formula </> is 
an inductive theorem w.r.t. Ax if there exists a finite derivation of the form 
({^}, 0) > ■ ■ ■ > (0, iJ); we call this derivation a proof of </>. 

Proof system Given a set of conditional rules R derived from the orientation 
of Ax, SPIKE computes covering substitutions which is a family of substitu- 
tions covering all possible cases for induction variables. These substitutions are 
applied to conjectures generating special instances which are then simplified by 
rules, lemmas and induction hypotheses. This instantiation/simplification oper- 
ation creates new subgoals that are processed in the same way in the following 
steps. Concretely, the relation (EU {C}, E[) > {E' ,H'), that transforms the 

current conjecture C, is defined by the rules of Fig. 3. The Generate inference 
rule computes appropriate covering substitutions which are then applied to C. 
These so-built instances are then simplified by rules and lemmas and appropriate 
instances of E and El. The set of induction hypotheses available for the simplifi- 
cation of the cover-set instance Ca are ad-hoc instances of the current set of E, 
{C} and H, strictly smaller (w.r.t. a decreasing order over clauses ^c) than Ca. 
The Simplify inference rule transforms a conjecture into a (potentially empty) 
set of new and simpler conjectures. 

Strategies SPIKE offers the user limited, but crucial, mechanisms to interact 
with the proof engine. For each conjecture, the user can i) introduce intermedi- 
ate lemmas that are first proven automatically and then used to establish the 
conjecture; ii) define a particular proof strategy that gives the order of execution 
for inference rules; iii) influence the inner mechanisms of some inference rules; 
for example the user can specify the order in which reducible terms are rewritten 
or the way the induction variables are chosen. These interaction mechanisms are 
crucial to guarantee that proof runs finish with success — when an empty set of 
conjectures is obtained. Of course, not all proof runs are successful; they may 
also diverge, or finish with failure; in the latter case the prover provides (under 
certain conditions) a counterexample to the initial conjectures. 

Soundness SPIKE’s inference engine is: 

— sound, i.e. every conjecture that is successfully processed is valid; 

— refutationally sound, i.e. the detection of a counterexample implies the ex- 
istence of a counterexample in the initial conjectures [6]. 

3.3 Extensions of SPIKE’s Proof Engine 

We only provide a concise and informal description of the extensions that we have 
implemented, and briefly indicate their impact on soundness; a more detailed and 
formal description of these extensions can be found in [21]. 
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Generate: {Eu {C},H) 



Simplify: {Eu {C},H) 



spike 



>(suU O - GCSS ( C ) U{G}) 






spike 



> (EUE',H) 



if{C^} VT 



uplify 






> E' 



Recall that: 



— a term t is said to be inductively R-reducible (reap. R-irreducible) if, for each 
substitution 7 mapping variables to _R-irreducible terms, ty is R-reducible (resp. 
R-irreducible) ; 

— a cover set for a conditional rewrite system R, CS{R), is a hnite set of R-irreducible 
terms such that for all ground R-irreducible term s, there is a term t in CS{R) and 
a ground substitution a such that Ax \= ta = s. From a cover set for a conditional 
rewrite system, we can build cover sets for clauses; 

— a cover substitution for a clause C instantiates a particular subset of V ar(C) (called 
induction variables) by terms obtained from CS{R) whose variables are replaced 
by fresh ones. We will denote by CSE(C) the set of all possible cover substitutions 
for C. 

— the set {Ca \ a G CSE{C)} is a cover set for the clause C. 

Fig. 3. spike’s inference system. 



Adaptation of the Inference System. In order to handle the extensions 
of the specification language, we have modified the inference system, and in 
particular the Generate rule. First, the parameterized variables cannot be in- 
stantiated by Generate rules during the proofs. Second, the Generate rule 
is modified so that SPIKE i) forbids the instantiation of existential variables, 
unless all induction variables are tagged as existential; ii) does not put the cur- 
rent conjecture in the set of premises if its cover-set instances are simplified with 
conditional rewrite rules introducing existential variables. W.r.t. i), observe that 
if no special provision were made, no inference rule could be applied if all induc- 
tion variables are tagged as existential. In some circumstances however, we may 
want the proof to proceed, and so we force such a behavior by generalizing exis- 
tential variables to universal ones in order to perform Generate. One drawback 
of this solution is the loss of refutational soundness, as the new rule potentially 
introduces new artificial counterexamples in the derivation by a generalization 
operation. Nevertheless, the new rule preserves the soundness of the system. 
W.r.t. ii), existential variables break the order condition requiring that the left 
hand side be greater than the conditions and the right hand side. This implies 
that if the current conjecture would contain a counterexample, the new set of 
conjectures cannot guarantee a smaller one. However, this condition is crucial 
for allowing the current conjecture to participate to further inferences [20]. In 
such cases, the transformation of a cover-set instance Ca can be considered as an 
instance of Simplify rule, which in addition (w.r.t. the Generate rule) allows 
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the use of H instances equivalent to Ca. Summing up, the resulting system is 
sound, but not refutationally sound. 



Improvements over the Inference System 

New Induction Schemas In the standard implementation, each cover substitu- 
tion for a clause C should instantiate all the induction variables from C. There- 
fore, the number of cover substitutions is exponential w.r.t. number of induction 
variables. For real applications such as the cross-validation of the JCVMs, this 
induction scheme generates thousands of cover substitutions and the prover per- 
formances become unacceptably poor. 

In order to overcome this problem, we have implemented the following in- 
duction scheme, which leads to a major improvement in terms of performance: 
assume that there exists a (sub)term t of C whose head symbol is defined and 
that unifies with left-hand sides of the axioms defining the head symbol. From 
the most general unifier, we can immediately deduce that the cover substitution 
cr and the axiom that can simplify Ca. Therefore, the number of cover substitu- 
tions is limited to the number of axioms defining the head symbol, usually ranged 
to tens. As explained above, the improved schema is sound because the specifi- 
cation is constructor-based, complete and strongly complete. The last property 
guarantees that the disjunction of the conditions related to instances of axioms 
having the same left-hand side is valid. 

Although of no incidence for our purpose, this scheme is not fit to prove 
conjectures having different (sub)terms that share induction variables, as for 
the associativity of the addition over naturals; it leads to a proof divergence. 
Therefore, we have adapted the following heuristics: recursively, if the (sub)term 
t shares induction variables with other (sub)term t' of C, compute also the 
cover substitutions and apply the heuristics for t' as for t. Since the number of 
(sub) terms of C is finite, this heuristics terminates. At the end, by the combina- 
tion of the partial cover substitutions, it returns a set of cover substitutions such 
that the resulted instances of C can be simplified at any position corresponding 
to the terms treated by the heuristics (like t and t'). In our proofs, the number 
of cover substitutions still remains ranged to tens. 

New Inference Rules The following inference rules, illustrated in Fig. 4, have 
been added in order to exploit the conditions of conjectures: 

1. auto simplification. It allows the rewriting of a conjecture with its negative 
literals, and allows to eliminate an existential variable from the rest of a 
conjecture as soon as it appears in a top position in equalities. Note that the 
order >e is an extension of the usual recursive path ordering to existential 
variables: for example, an existential variable x is always greater than any 
term that does not contain x and is not itself an existential variable; 

2. congruence closure. If a conjecture contains as conditions the literals of 
the form s = t and t = u then the new literal s = uis added to the conditions. 
The new literals are built using a completion algorithm having as input all 
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Auto Simplification: {E U H) [E U {C}, H) 

if s >e t and C' is the clause C rewritten 
with s ^ t, excepting the term s oi s = t 

Congruence Closure: {Evj {. . . s = t . . . At = u a . . . ^ 1},E[) > {E u {C'},H) 

where C' = ...s = t...At = uA...s — u^l 

Augmentation: {E U {cond ^ 1},H) > {E U {cond At^ 1},H) 

c 

if there exists a clause cond' p of i? U U E^^c 

s.t. every literal of cond' is subsumed by cond 

Fig. 4. New inference rules. 



the negative literals of the current conjecture. The procedure is refined by 
looking in priority for new equalities between constructor terms. If the head 
symbols of the both sides of a new equality are the same, we can derive new 
equalities by a decomposition operation, otherwise the clause is eliminated 
from the set of conjectures; 

3. augmentation. Given a conditional clause, its conclusion can be added 
to the conditions cond of a conjecture if the conditions of the clause are 
discharged by cond [8]. The typical use of this rule in our applications is 
when the clause is a non-orientable user-defined lemma. 

Additional applicability conditions are put such that each of these inference rules 
is an instance of the Simplify rule. Hence the soundness of these rules follows 
from the soundness of the abstract inference system of Figure 3. 

The application strategy of the inference rules is standard, by trying firstly 
the Simplify rules that do not add new conjectures, then the other Simplify 
rules and, finally, the Generate rules. 

Implementation Optimisations Another major improvement in terms of execu- 
tion time is the recording of the failures of the inference rules application in 
order to avoid useless computation. Some of the recordings are performed at the 
level of clauses (for example, for subsumption), others at the level of terms (for 
example, for rewriting). If a rewrite operation with an unconditional rule fails 
at a given position of a conjecture, the rule’s identification number is associated 
to that position such that the rule is avoided in the further rewriting operations 
as long as the term containing the position does not change. 

4 Applications to JavaCard 

In this section, we describe the results of our experiments of using the extended 
version of SPIKE to prove GDO, GDA and MON. For each instruction, we have 
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three modules, one for each property CDA, CDO, and MON; this separation has 
no other purpose than convenience for carrying our experiments and collecting 
statistics. Each module consists of three parts: an algebraic specification, in our 
case parts of the description of the JCVMs, a logical theory to be proven, in our 
case some assumptions about the program and statements of CDA, CDO and 
MON, and a strategy that determines the prover’s behavior during the proofs. 
The modules are available at www.loria.fr/~stratula/verificard. 



4.1 CDO 

The new version of SPIKE has been used to verify CDO for most instructions 
(41 out of 45). Figure 5 provides an excerpt of the SPIKE module used to prove 
CDO for the function CONV, that factors several of the conversion bytecodes of 
the JCVM: s2b (short to bytes), s2i (short to integers), i2b (integers to bytes), 
i2s (integers to short). Figure 1 provides some statistics about this experiment. 
In the second column, we indicate if the proof has been already done (yes) or not 
yet (n.y.). The third column presents the number of lemmas introduced by the 
user (and proved previously by SPIKE), while the other columns show respec- 
tively the number of Generate rules, normalization operations with uncondi- 
tional rules, case rewriting with conditional rules, syntactic subsumption rules, 
tautology elimination rules and the execution time. Note that most proofs are 
automatic, i.e. do not require users to provide SPIKE with additional lemmas, 
and done in a reasonable time. 



4.2 CDA and MON 

We are now working on the proofs of CDA and MON, and have proven both prop- 
erties for around half of the instructions. These properties are more challenging 
to prove than CDO, in particular because they rely on a number of invariants 
about JavaCard programs and the JCVM memory model. Thus users must pro- 
vide appropriate invariants for the proofs to go through; as the formulation of 
such invariants can only be made during proofs, the benefits of automation are 
less clear for CDA and MON. 



4.3 Assessment 

We briefly comment on the effectiveness of the tool, and establish a comparison 
with our work on CertiCartes. 

Automation SPIKE provides a reasonable level of automation, and there is no 
need to tune the strategy for each lemma to be proved. The best results are 
achieved with CDO, which for many bytecodes can be proved automatically, 
i.e. without requiring the users to provide intermediate lemmas. As explained 
above, the level of automation is lower for CDA and CDO. We detail below two 
directions for improvement. 
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The module begins with the name of the specihcation, and follows by declaring the 
types (or sorts), constructor symbols, and defined functions of the specihcation. Then 
the behavior of dehned functions is specihed by means of clauses. The module is com- 
pleted by hxing a proof strategy, and by declaring of the conjectures to be proven; note 
that conjectures are formulated as equational clauses. 

specification : CONV 

sorts ; list type_prim jcvm_state ... 
constructors ; 

Nil: -> (list 'A ); Cons : 'A (list 'A) -> (list 'A );... 

defined functions ; 

CONV : type_prim type_prim jcvm_state -> returned_state; . . . 
axioms : 

% cONV : 1 

stack_f (ul) = Nil => 

cONV (u2, u3 , ul) -> abortCode (State_error , ul) ; 

% cONV :2 

stack_f (ul) = Cons (e2, e3), 

extr_f rom_opstack (u4, opstack(e2)) = Ini (Pair (e5, e6) ) 

=> cONV (u4 , u7, ul) -> update_frame 

(push_opstack (VPrim (tpz2vp (u7, t_convert (u4, u7, e5) ) ) , e6, 
e2) , ul) ; 

% cONV :3 

stack_f (ul) = Cons (e2, e3), 

extr_f rom_opstack (u4, opstack (e2)) = Inr (e5) 

=> cONV (u4, u6 , ul) -> abortCode (e5, ul) ; 



strategy : ... 

conjectures : 

state = Build_j cvm_state ( sh, hp, Cons (h, If)), 

res = cONV(n, zO, state) => 

res = abortCode ( Type_error, state), 

res = abortCode ( Signature_error , state), 

rs2ors ( res) = ocONV (n, zO, s2os (state)); 



Fig. 5. An excerpt of a SPIKE specihcation formalizing the instruction CONV. 
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Table 1. Statistics for CDO proofs carried on a PC equipped with a 3.06 GHz Pentium 
processor and 512 Mbytes RAM. 



instruction 


proved 


lemmas 


Generate 


U. R. 


C. R. 


Subsumption 


Taut. 


time 


ACONST_NULL 


yes 


0 


0 


4 


1 


0 


1 


0.5s 


ALOAD 


n.y. 


0 


0 


0 


0 


0 


0 


0.0 


ARITH 


yes 


33 


100 


8771 


2893 


979 


2178 


8m 


ARRAYLENGTH 


yes 


22 


23 


880 


199 


105 


567 


16s 


AS TORE 


n.y. 


0 


0 


0 


0 


0 


0 


0.0 


ATHROW 


yes 


24 


24 


2021 


29 


168 


3496 


lm42s 


CHECKCAST 


yes 


79 


88 


1531 


382 


153 


4741 


lm44s 


CONST 


yes 


0 


1 


24 


7 


0 


7 


0.5s 


CONV 


yes 


0 


94 


999 


405 


12 


495 


0.54s 


DUP 


yes 


0 


4 


21 


3 


2 


26 


0.13s 


DUP2 


yes 


0 


4 


45 


4 


4 


62 


0.25s 


GETFIELD 


yes 


24 


49 


4080 


1074 


347 


4581 


lm57s 


GETFIELD_THIS 


yes 


24 


49 


4080 


1074 


347 


4581 


lm56s 


GETSTATIC 


yes 


0 


22 


313 


25 


23 


543 


2.58s 


GOTO 


yes 


0 


0 


4 


1 


0 


1 


0.07s 


ICMP 


yes 


0 


93 


283 


6 


135 


156 


1.9s 


IFNONNULL 


yes 


0 


20 


85 


23 


13 


54 


0.47s 


IFNULL 


yes 


0 


22 


89 


15 


13 


56 


0.85s 


IFJi.CMP_COND 


yes 


13 


38 


147 


31 


48 


99 


1.3s 


IF_COND 


yes 


0 


46 


175 


117 


97 


81 


0.4s 


IF_SCMP_COND 


yes 


0 


75 


288 


130 


116 


163 


1.3s 


INC 


yes 


0 


10 


217 


29 


22 


566 


1.5s 


INSTANCEOF 


yes 


66 


72 


4173 


1838 


1203 


5388 


297m 


INVOKEINTERFACE 


yes 


47 


53 


951 


171 


261 


2026 


0.38s 


INVOKESPECIAL 


yes 


41 


54 


633 


103 


166 


1097 


13s 


INVOKESTATIC 


yes 


8 


12 


42 


7 


13 


72 


0.4s 


INVOKEVIRTUAL 


yes 


49 


57 


891 


172 


251 


1576 


31s 


JSR 


yes 


0 


0 


4 


1 


0 


1 


0.15s 


LOAD 


yes 


0 


17 


196 


25 


20 


417 


1.7s 


LOOKUPSWITCH 


yes 


19 


33 


3434 


1208 


372 


7414 


52.4s 


NEG 


yes 


2 


16 


87 


38 


24 


76 


1.2s 


NEW 


yes 


1 


7 


26 


3 


4 


33 


0.17s 


NEWARRAY 


yes 


22 


31 


4239 


435 


574 


7540 


lm07s 


NOP 


yes 


0 


0 


4 


1 


0 


1 


0.05s 


POP 


yes 


0 


6 


25 


3 


3 


26 


0.1s 


POP2 


yes 


0 


9 


31 


3 


3 


27 


0.1s 


PUSH 


yes 


0 


1 


9 


1 


0 


10 


0.4s 


PUTFIELD 


n.y. 


0 


0 


0 


0 


0 


0 


0.0 


PUTFIELD_THIS 


n.y. 


0 


0 


0 


0 


0 


0 


0.0 


PUTSTATIC 


yes 


21 


57 


643 


155 


124 


1096 


9s 


RET 


yes 


0 


6 


36 


3 


4 


37 


0.14s 


RETURN 


yes 


8 


11 


200 


33 


2 


199 


0.92s 


STORE 


yes 


0 


55 


554 


139 


95 


2028 


9.8s 


SWAP 


yes 


0 


13 


51 


4 


5 


64 


0.3s 


TABLESWITCH 


yes 


17 


86 


13651 


10830 


1190 


4302 


15m43 
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Counterexamples SPIKE provides useful feedback to the specifier. By permit- 
ting the automatic refutation of false conjectures, SPIKE highlights, at a rel- 
atively low cost, possible problems in the specifications. This is essential for 
complex, large-scale formalisations which are bound to contain bugs, at least in 
their initial stages. 

Expressivity SPIKE is expressive enough for specifying the virtual machines, 
and the properties CDO, CDA and MON. However it is not expressive enough 
to prove the correctness of the BCV, see below. 

Comparison with CertiCartes CDA, CDO and MON have been proved inde- 
pendently in the Coq proof assistant. The comparison is without surprise, e.g. 
SPIKE provides a better level of automation than Coq, but on the other hand 
proofs that are not automatic may be harder to go through in SPIKE. Further, 
Coq is more expressive than SPIKE, and provides an adequate environment to 
specify (and prove) some properties of the JavaCard platform that cannot even 
stated in SPIKE — most of the work reported in [2] cannot be cast in SPIKE. 

Directions for improvement We see two directions of work for optimizing the 
usefulness of SPIKE in the context of the certification of the JavaCard Platform: 

Automatic generation of intermediate lemmas: for a number of byte- 
codes, SPIKE requires users to provide intermediate results for establishing 
CDO, CDA and MON. Many of such lemmas are of a similar shape, and 
could be generated automatically so as to minimize user interactions. One 
possibility that we are exploring is to exploit the abstraction script used to 
generate the offensive/abstract machine from the defensive one for generat- 
ing such lemmas; 

— Connection with Coq: while SPIKE provides a reasonable level of au- 
tomation, not all proofs can be performed automatically. Further, Coq is 
more expressive than SPIKE, as explained above. In this respect, it may 
be beneficial to connect Coq and SPIKE so that Coq users may appeal to 
SPIKE to discharge some proof obligations automatically, as is done for 
example for Coq and Elan [17]. In particular, such a connection would allow 
users to discharge automatically many trivial (sub)cases of CDA and MON, 
namely those which do not rely on any invariant. 

5 Conclusion and Future Work 

5.1 Related Work 

Our work is an attempt to apply rewriting techniques to validate security archi- 
tectures for low-level languages used in smartcards. There have been a number 
of other applications of rewriting techniques to security, but these works fo- 
cus on different aspects of security, such as network security and cryptographic 
protocols, see e.g. [10,13]. 

Our work is related to existing efforts to provide formal specification and 
correctness proofs for open platforms, including those carried by E. Gimenez 
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and co-authors at Trusted Logic, by J.-L. Lanet and co-workers at Gemplus [9] 
(abstract B machines for the JCVM and BCV), by T. Nipkow and co-workers at 
Munich [16] (Java, JVM, BCV, and compiler in Isabelle), by J. Strother Moore 
and co-workers at U. of Texas (JVM and BCV in ACL2) — note that some other 
works, e.g. [19,11] provide machine executable semantics, but pencil-and-paper 
formal proofs. For lack of space, we refer to [14] for further information, and limit 
ourselves to notice that most of these specifications implicitly use a restricted 
framework, but our work is distinctive by expliciting and taking advantage of 
this restricted framework. 

Closest to our work is the work by A. Cordon and D. Syme [22], which 
aims at automatic type-safety proofs for low-level languages. They identify a 
restricted framework in which specifications and properties can be expressed, 
and enhance the proof assistant HOL with suitable decision procedures, inspired 
from SVC (Stanford Validity Checker), to achieve a high degree of automation. 
Our methodology, which aims at validating automatically derived abstractions, 
seems crisper but we lack grounds for comparison — it would be interesting to 
validate, as they do, the .NET virtual machine, for carrying such a comparison. 

5.2 Future Work 

Further case studies. Our current focus with Jakarta is to provide automatic 
support for the construction and cross-validation of the virtual machines for 
properties other than typing, e.g. initialization or non-interference. As such 
efforts rely on a similar methodologies, it seems interesting to use SPIKE 
to prove appropriate versions of the CDO, CDA and MON properties. 
Domain-specific proof environment for certifying low-level languages. 
A longer term objective is to enhance the Jakarta toolset towards an envi- 
ronment that provides automatic support for certifying low-level languages. 
We expect the restricted format of JSL will prove useful for this task. 
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Abstract. A key new concept, term partition, allows to design a new 
method for proving theorems whose proof usually requires mathematical 
induction. A term partition of a term t is a well-defined splitting of t into 
a pair (a, 6) of terms that describes the language of normal forms of the 
ground instances oft. 

If A is a monomorphic set of axioms (rules) and (a, b) is a term partition 
of t, then the normal form (obtained by using A) of any ground instance 
of t can be “divided” into the normal forms (obtained by using A) of the 
corresponding ground instances of a and b. Given a conjecture t = s to 
be checked for inductive validity in the theory of A, a partition (a, b) of 
t and a partition (c, d) of s is computed. If a = c and b — d, then t = s 
is an inductive theorem for A. 

The method is conceptually different to the classical theorem proving 
approaches. It allows to obtain proofs of a large number of conjectures 
(including non-linear ones) without additional lemmas or generalizations. 



1 Introduction 

The need to be able to prove theorems by induction appears in many applica- 
tions including number theory, program verification, and program synthesis. We 
assume familiarity with the basic notion of equational logic and rewrite systems 
(see for instance [9]). 

A many-sorted signature A is a pair (5, IF) where 5 is a set of sorts and 
iF is a finite vocabulary of functions symbols. Each symbol f € IF is associated 
with a type denoted si x . . . x s„ — >■ s such that s and every Si belong to S. n 
is the arity of / and s is the value (i.e. the coarity) of /. Let T{T,X) denote 
the set of well-sorted terms built out of function symbols taken from T and a 
denumerable set X of free-sorted variables. We assume that T contains at least 
one constant symbol by sort. Thus, the set T(iF) of ground terms (variable- free), 
is non-empty. If t is a term and 0 is a (ground) substitution of (ground) term 
for variables in t, then tO is a (ground) instance of t. Finally, an equation e is an 
element of T{T, X) x T{T, X) and is written as t = s. 

An equation t = s is a deductive consequence of a set A of equations if it is 
valid in any model of A. It is well known that t = s is a deductive consequence 
of A if and only if t s. Here, denotes the smallest monotonic congruence 
that contains A. An equation is an inductive consequence of a set A of equations if 
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it is valid in the initial (standard) model. In proof theoretical terms, an equation 
t = s is said to be an inductive theorem, denoted t =md{A) if only if 
ta =A sa for all ground instance of ta = sa of t = s. Thus, the proof of t = s 
depends on the proof of infinite number of ground instances of t = s. 

To establish inductive consequences, classical theorem proving provides ei- 
ther explicit induction [1,5,16] or implicit induction [2,3,4,6,7,8,11]. However, 
inductive proofs often diverge. The hardest problem in using either approach is 
to find the appropriate induction schemes as well as the suitable lemmas needed 
for the proof. As a “simple” example, consider the theorem: 

X * {x + {x * x)) = (x * x) -I- (x * (x * x)) (1) 

Addition (-I-), and multiplication (*) are defined by means of the equations, 
A={x-|-0 = x; X + s{y) = s(x + y)] x * 0 = 0; x * s{y) = x * y + x}, where 
s(x) represents the successor of x (i.e x -I- 1). 

The proof attempt begins with a simple induction step on x. The proof of 
basis case 0 * (0 -I- (0 * 0)) = (0 * 0) -I- (0 * (0 * 0)) is trivial. In the step case, the 
induction hypothesis is (1) and the induction conclusion is s(x) * (s(x) -I- (s(x) * 
s(x))) = (s(x)*s(x))-|-(s(x)*(s(x)*s(x))). Simplifying the induction conclusion 
with the definitions above gives: 

s(s(x)*(s(x)-|-((s(x)*x)-|-x))-|-x) = s(s((s(x)*x)-|-x)-|-(s(x)*((s(x)*x)-|-x)-|-x)) 

This equation cannot be simplified furthermore because the both sides of this 
equation doesn’t contain any subterm which is an instance of an equation of A 
or of the induction hypothesis (1). So, another induction step on x is performed. 
Unfortunately this generates a diverging sequences of subgoals. The proof of (1) 
simply fails. The problem is that the prover repeatedly tries an induction on x 
but is unable to simplify the successor functions that it introduces on the first 
positions of -I- and *. This failure is especially tied to the classical induction 
setting which is based on the explicit or implicit use of induction hypothesis. 
Equation (1) cannot be proven when given just the above definitions without a 
suitable generalization of the induction hypothesis^. For instance, to prove this 
equation the user has to provide the lemmas x * {y + z) = x * y + x * z and 
{w + (x * y')) + V = w + ((x * y') + v). 

A rewrite system 77. is a set of oriented equations {I — >■ r} called rewrite rules. 
A rule is applied to a term t by finding a subterm s of 7 that is an instance of 
the left side I (i.e., s = la) and replacing s with the corresponding instance (ra) 
of the rule’s right side. If 77 terminates, one computes with 77 by repeatedly 
applying rules to rewrite an input term until a normal form (unrewritable term) 
is obtained. In case where A can be compiled into a ground convergent 77 rewrite 
system, for a ground substitution a, we can decide ta =a sa by testing for 
syntactic identity of the 77-normal forms of ta and sa (i.e. Is taf-ji = safn ? 
where tafn denotes the 77-normal form of ta). 

^ Please note that the most advanced heuristic-based methods ([10,12,14,15]) fail also 
to produce the necessary lemmas and/or generalizations for the proof to go through 
for all the examples of the present paper (especially non-linear ones). 
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In terms of these definitions, a deep analysis of the normal forms of the ground 
instances of the both sides of (1) shows the existence of two terms a = x*x and 
b = x*{x*x) that satisfy the following property: for all ground substitutions 9, 

{x * {x + {x * x))) 61 tz = {x * x) 61 tz (Si {x * {x * x)) 61 ti 
and {{x * a;) + (x * (x * x)))61ti = (x * x)91tz 0 (x * (x * x))61ti 

Roughly speaking, the normal form of a ground instance of x * (x + (x * x)) 
is obtained by replacing the innermost symbol (i.e. 0) of the normal form of 
the corresponding ground instance of a by the normal form of the corresponding 
ground instance of b (the semantics of ®). Similarly, the normal form of a ground 
instance of (x * x) + (x * (x * x)) is obtained by replacing the innermost symbol 
of aOl by b9l. Since both sides of (1) can be divided into terms a = x * x and 
b = x*(x*x) we may conclude that (1) is an inductive theorem (see theorem 1). 

Our approach tries to capture this intuition as to why the above equation is 
an inductive theorem. The central part of this paper is to show how our method 
enables to obtain inductive validity of theorems, completely automatically from 
the functions definitions alone. 

The organization of this paper is as follows. In Sect. 2, the class of monomor- 
phic rewrite system is provided. In Sect. 3, an outline of our approach with a 
“simple” example is presented. Section 4 introduces the key concept of term par- 
tition and shows how to use it to prove inductive theorems. Section 5 describes 
how to compute a term partition. In Sect. 6 we present our general inductive 
procedure and applies it to some hard examples^ . The formal proofs that are too 
long to appear in the body of our paper are given in the appendix that can be 
found at http://www-sop.inria.fr/coprin/urso/papers.html. 



2 Monomorphic Rewrite Systems 

A ground convergent rewrite system TZ over a set of function symbols T-ji, is 
terminating - w.r.t. a reduction ordering > — and ground confluent - i.e. TZ has 
the Church-Rosser property on ground terms. Termination implies that there is 
at least one /^.-normal form for any term. From now, we assume that Tn can be 
partitioned into free constructors Cn and defined symbols 'D-n, such that every 
ground term with a defined symbol can be made equal (using TZ) to a ground 
term built upon constructors only (sufficient completeness). We shall from now 
on regard our set A of equations as a rewrite system TZ. 

The set TS(TZ) = {< | t is constant or t is of the form c(xi,X 2 , . . . ,x„ with 
c € Cn and xi, . . . ,x„) € A} is a test set for TZ [13]. A test set substitution a 
is a substitution with values in TS(TZ). tf-jz denotes the normal form of term 
t using TZ (when R is unambiguous it is just denoted tf). Let (t = s)"' denote 
the instances of equation t = s that are smaller (w.r.t. the extension of to 

^ A hard theorem requires either a change of induction rule, or additional lemmas and 
generalizations for the proof to go through. 
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equations) than t = s. The following function GEN encompasses the classical 
definition of induction. 

Definition 1. GEN(t = s,7^) = {taliz = sa^-jz \ a is test set substitution, 
tcriv, ^ sa\.Tz, and ta^-n (resp. sain) is computed using T = TZU {(t = s)^}. 

If t is a term, type{t) denotes the sort of t (i.e. the coarity of the root of t) 
and dom{t) is the set of positions of t. e denotes the empty position, p, q, ... 
denote positions in a term. \p\ is the length of position p and < is the prefix 
ordering. For notational convention, we shall represent positions as lists of digits 
from {1...9}. t/p denotes the subterm of t at position p. We write t[s]p the 
result of replacing the subterm of t at position p hy s. Finally t{p) denotes the 
symbol of t at position p. 

The monomorphic rewrite systems are a subset of ground convergent and 
sufficiently complete rewrite systems. Their main interest is that their ground 
normalized terms can be viewed as “lists”. Now, in a list we are able to identify 
a “head” and a “tail” part and then to split a ground normalized term. 



Definition 2. A ground convergent and sufficiently complete (over free con- 
structor) rewrite system TZ is monomorphic if there is only one constant by sort 
T - denoted Eq- - and every ground term t in TZ-normal form has only one leaf 
labelled by Etype(t) ■ 

Example 1. Let TZ be the following monomorphic system (with S = {nat, list}): 



x-\-s{y)^ s{x-\-y); a:+0— e{x,s{y))^e{x,y) * x; e(a:, 0) — >■ s(0); 

X * s{y) ^ {x * y)-\-x; a;*0— >-0; m{x,s{y))^x-\-m{x,y); m(x,0)^0; 

< E(s(x))^s(x)-I-E(x); E(0)^0; EI(s(x), y) EI(x, s(y-l-x)); EI(0, y)->y; 
r(c.l)^ap(r(l),c.0); r(0)— >-0; ap{c.l,L)^c.ap{l,L); ap{0,L)^L; 

R{c.l, L) ^ R{l,c.L); R{0,L)^L 



C-R. 



and 'D'lz 



J 0 : — >■ nat] 

( 0 : — >• list] 

{ S : nat — >■ nat] 
\ r : list — >■ list] 



s : nat — >■ nat] 

. : nat x list — >■ list 

+, *, TO, e, El : nat x nat — >■ nat] 
R, ap : list x list — >■ list 



Further, TS{TZ) = {0, s(x), 0, c.l}. Throughout of this paper we shall make free 
use of rules in TZ. 



According to the above definition, a rewrite system is monomorphic only if 
its non-constant constructors have exactly one argument of their own sort] this 
argument is called “reflexive” . 

Definition 3. Let TZ be a monomorphic rewrite system and let f : siX. . .xsn ^ 
s be a non- constant function symbol in C-r.. The unique position i < n that verifies 
Si = s is called the reflexive argument position of f , and is denoted RA(JZ,f). 
Let C G T{C'r.,X), the term C[t]nAiyi,C{e)) simply denoted C[i\. 
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For the above rewrite system, we get that RA{TZ, ■) = 2 and RA{TZ, s) = 1. 

Finally, the “join” of two ground normalized terms in a monomorphic theory 
is defined as follows. 

Definition 4. Let TZ he a monomorphic rewrite system and let A and B be two 
ground terms in TZ-normal form, both of sort T; the join of A and B denoted 
A® B is the term such that A/p = Aq-. 

For instance, s(O).(O.0) ® s(s(O)).0 = s(O).(O.(s(s(O)).0)). 

3 Outline of Our Approach: An Example 

The key concept underlying our approach is to split both sides of a given equation 
t = s into pairs (a, b) and (c, d) and to recursively check whether a = c and 
b = d (see Theorem 1). Here, a and c are the head parts of t and s. b and d are 
theirs tail parts. To obtain a pair that describes the head and the tail part of 
the normal form of the ground instances of a term t we have to identify which 
particular combination of subterms of t “creates” these parts. Further, to find 
these subterms we have to understand how each function in the rewrite system 
manages its arguments. 

To illustrate the essential ideas behind our method let us outline it on a 
“tricky” example. Assume we wish to prove the non-linear equation t = s: 

r{ap{l,r{l)) = ap{l,r{l)) (2) 

Our approach to induction consists in computing a suitable term partition 
for each side of (2). Actually, we compute a set of partitions {DEC) for each 
side and try to find in these sets two head or tail parts syntactically equal (see 
induction procedure in Sect. 6). A set of partitions is computed in two phases. 

• In the first phase, the type of the argument positions of the defined func- 
tion symbols appearing in TZ is characterized. Intuitively, this characterization 
indicates how each function argument is moved onto another argument position 
at each step of a rewriting sequence. This type can be precompiled using the 
definitions 6, 7, and 8 (see Sect. 5). 

In our example, position 1 is the upward argument of op; position 2 is the 
downward argument of ap; and position 1 is the down-contextual argument of r. 
Roughly speaking, the upward argument position of a function symbol / indicates 
which subterm in a ground term (with / as root symbol) moves towards the head 
of the normal form in a rewriting sequence. The downward argument position 
indicates which subterm in a ground term moves down towards the tail of the 
normal form in a rewriting sequence. The down- contextual argument position 
indicates which subterm in a ground term is used to create a regular series of 
elements whose normalization leads to the tail of the normal form^. 

® A fourth type of argument position - up- contextual - is not present in these terms, 
it indicates which subterm is used to create a regular series of elements whose nor- 
malization leads to the head of the normal form. 
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• In the second phase, “combinations” of subterms of each side of the equa- 
tion to split are identified. These combinations are represented by the top and 
bot function (see Definition 10) and computed upon a “top” (TP) and “bot- 
torrH' {BP) paths (see definition 9). For instance, we get the following paths: 
TP{r{ap{l,r{l)))) = 12, TP{ap{l,r{l))) = 1, BP{r{ap{l,r{l)))) = 11, and 
BP{ap{l,r{l))) = 21. Roughly speaking, a TP (resp. BP) path shows where 
to look for the subterms that creates the head (resp. the tail) of a normal form 
of a ground instance of a term. For instance, the head of the normal form of 
a ground instance of r{ap{l,r{l))) will be the result of computing the normal 
forms of the ground instance of r{l) (at position 2 for ap) and then applying 
the definition of r to position 1 (path 12). Similarly, the tail of the normal form 
of a ground instance of r{ap{l, r{l))) can be found by applying the rules of the 
function symbols that label each position along the path 12. Each path allows 
us to compute (see definition 11) the following sets: 

DEC{t)={{r{ap{l,r{l))),0)] {r{r{l)),r{ap{l,0)))] {0,r{ap{l,r{l))))] {r{r{l)),r{l))} 
DEC{s)={{ap{l,r{l)),0); {l,r{l)); {0,ap{l,r{l))); {ap{l,0),r{l))} 

Each element of these sets constitutes a partition of t and s (see proposition 1). 
Since (r{r{l)), r(l)) is a partition of r{ap{l,r{l))) and (/, r(l)) is a partition of 
ap{l,r{l)), we may reduce - by “taking off” the tail parts r{l) - the proof of (2) 
to the proof of t' = s' (see theorem 1): 

r(r(0) = I (3) 

So, we need to check (3) for inductive validity. We iterate the process of 
computation of a term partition of both sides of (3) using definition 11. Since a 
suitable partition for both terms cannot be found using the definition of DEC, 
the next step of our induction procedure consists of computing the ^^patternd’ 
(see definition 12) of both sides of (3). Roughly speaking, since ground normal 
forms of terms in monomorphic systems can be viewed as “lists” , they can thus 
be made up of a regular series of similar elements. Intuitively, a pattern is a 
representation of these elements when they exist. 

To compute patterns, two positions p G dom{t') and q € dom(s') such that 
t'/p = s'/q are first chosen. Then, the normal forms of terms t'[c.x]p and s'[c.x]q 
are computed, where c.x is a non-constant element of TS{TZ) (see Sect. 2). Fi- 
nally, we have to find a suitable partition for t'[c.x]p that contains t[x]p. Since 
t'[c.x]iil = r{ap{r{l),c.0)), we get that (r(r(x)), c.0) G DEC{t'[c.x]nl.), and 
a pattern of t is c.0. Similarly, since s'[c.x]e\. = c.x, we get that (x, c.0) G 
DEC{s'[c.x]e\.), and thus c.0 is also a pattern of s. Intuitively, the reason for 
such a computation is to find a term pat that have the following property (where 
0 is a ground substitution, and each 6i depends on each element of the list of 
length n that represents the term (t/p)0l): 

tOl = t[l\p9\, ® patOi ® patOn 
s6\. = s[T]g0), 0 patOi 0 ... 0 patOn 

J t'9i = r(r(0))4,(g) ci.0 (g) . . . (g) c„.0 
|s'6»i= 04 _(g)ci. 0 (g)...(g)c „.0 



e-g- {t'/p)9i = Cl 



c„.0 
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Since both sides of (3) have a common pattern, we have to check whether 
r(r(0)) = 0 is an inductive theorem (see theorem 2). Now, r(r(0)) = 0 trivially 
holds. Therefore (3) is an inductive theorem. Hence (2) is so. 

4 Induction Using “Term Partition” 

In this section, we define our approach to mathematical induction that is directly 
based on the finite specification of the language of the normal forms of the 
infinitely many ground instances of a term. 

Definition 5. If TZ is a rewrite system and t is a term, then a partition of t 
with respect to TZ is an ordered pair (a, h) where a and b are terms such that 
var(a)Uvar(b) C varft) and for every ground substitution 9 the following holds: 
t9\. = a9f 0 b9f. 

For instance, {r(m), r{l)) is a partition of r{ap{l,m)): the normal forms of 
the ground instances of t are equal to the normal forms of the corresponding 
ground instances of r(m) followed by those of r{l). Similarly, {r{m), r{l)) is also 
a partition of ap{r{m),r{l)). The key property of term partition is the theorem 1. 

Theorem 1. Let TZ be a monomorphic ground convergent rewrite system and 
t = s be an equation. Assume that (a, b) is a partition oft and (c, d) is a partition 
of s. If a =ind{n) c then, t =ind(n) s if and only if b =ind{n) d. Respectively, if 
b ind(TZ) d then, t ind(lZ) ^ ^'^d only if a ind(lZ) 

Proof. Let 6* be a ground substitution. Since (c, d) is a partition of s, sOf = 
c0l 0 d9f. Since (a, b) is a partition of t, tOf = aOf 0 b9f. 

Assume first that t =ind{TZ) s. Since TZ is ground convergent, we get that 
t9l = s9f. Therefore, we have a9f 0 bOf = cOf 0 d9f. 

— If a =ind(TV) c we then have aOf = c6f. So aOf 0 bOf = a9f 0 d9f. By 
definition 4 we get bOf = d9f, and therefore b =ind(TZ) d. 

— Similarly, b =ind(TZ) d implies bOf = d9f. So a9f 0 bOf = c0f 0 b0f. By 
definition 4 we get a9l = c0f, and therefore a =ind{n) c. 

Assume now a =md{TZ) c and b =ind(TZ) d. Since TZ is monomorphic, we get 
an unique position p such that a0ffp = cOfjp = T. 

We then have, t9l = a0l ® bOf = c0\, 0 dOf = sOf. □ 

For instance, since {r(m), r(l)) is a common partition of r{ap{l,m)) and 
ap{r{m),r{l)), theorem 1 says that r{ap{l,m)) =ind(TZ) ap{r{m),r{l)). 

5 Computing “Term Partitions” 

As seen in Sect. 2, a term partition is computed in two phases. The first phase is 
to understand how the normal forms of the ground instances of a term are built 
up. The second phase uses the first one to extract from a term the combination 
of subterms that form the partition. 
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Parsing the Rewrite System. Let TZhe a, ground convergent rewrite system, 
and let TZf = {I ^ r & TZ \ I = /(tl, . . . , tn) with / G V-ji, and G 

T{C'n.,X)'\ be the definition of /. Assume that t is a term and 0 is a ground 
constructor substitution. If we were able to identify the subterms in tO which 
could be moved (possibly changed) towards the “top” of the t9\, or down towards 
the “bottom” of the t0\, in any rewriting sequence, then we would be able to 
obtain a term partition. 

The type of an argument position allows us to know how each function ar- 
gument is moved onto another argument position in a rewriting step. Let TZ be 
a monomorphic rewrite system. Let Pf be the argument position set of /, define 
Pf = {1, . . . , n} where n is the arity of symbol /. Remember that RA{R, f) is 
the reflexive argument position of f £ C-jz (see Sect. 2). 

Definition 6. Let TZ he a monomorphic rewrite system, let f be a function 
symbol in 'D-n- p £ Pf is a downward position, denoted by DP{TZ,f), if for all 
I ^r£TZf,l/pis a variable and there exists just one position q such that 
l/p = r/q and 

- Either q = s, 

- Or q = qi ... q„ with for all i < n, |gi| = 1 and qi = RA(JZ, r{q\ . . . qi-if), 
qi = DP{TZ, r{qi . . . qi-i)), or qi = p with r{qi . . . qi^i) = f. 

Example 2. If TZr = {R{c.l,L) -£ R{l,c.L); R{0,L) — >■ L}, then by taking 
p = 2 we get q = 22 or q = e. Thus DP{TZ, R) = 2. 

Definition 7. Let TZ he a monomorphic rewrite system, let f be a function 
symbol in 'Dn. p £ Pf is an upward position, denoted by UP(TZ,f), if for all 
I — )■ r £ TZf, 

- Either l/p = Etypeii), 

- Or l/p = C[x\ and r = C'[l[a;]p]. 

Example 3. If TZap = {ap{0,L) -£ L; ap{c.l,L) -£ c.ap{l,L)}, then by taking 
p = 1 we get l/p=0 ox l/p = c.l and r = c.ap(l, L). Thus UP{TZ, ap) = 1. 

Definition 8. Let TZ he a monomorphic rewrite system, let f be a function sym- 
bol in 'D'n. For a position p £ Pf, if for all I ^ r £ TZf 

- Either l/p = and r = 

- Or l/p = C[x] and there exists just one position q s.t. r/q = l[x]p. Then p is 

• an up-contextual position and denoted by UCP{TZ, /) if q = DP{TZ, r(e)), 

• a down-contextual position and denoted by DCP{TZ, /) ifq = UP{TZ, r(e)) 

Example j. If 7^* = {a; * 0 — >■ 0; x* s{y) — >■ (x*y) x}, then by taking p = 2 we 
get l/p = r = 0 or l/p = s{y) and r/q = [x * y) with q = DP{TZ,-\-) = 1. Thus 
UCp[tZ,*) = 2. 

Example 5. If TZm = {m{x, 0) — >■ 0; m{x, s{y)) -£ x m{x, y)}, then by taking 
p = 2 we get l/p = r = 0 or l/p = s{y) and r/q = m{x, y) with q = UP{TZ, -I-) = 
2. Thus DCP{TZ, m) = 2. 
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Table 1. Argument positions for TZ (see Example 1). 
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RA{Tl,f) 


DP{Tl,f) 


UP{Tl,f) 


UCP(Tl,f) 


DCP(Tl,f) 
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2 
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Terms with downwards, upward, up-contextual, and down-contextual argu- 
ment positions may be divided into two parts as the following lemma shows: 

Lemma 1. Let TZ he a monomorphic rewrite system, let t be a term, and let p 
a position in Pt{e) ■ For any ground substitution 9, and for any ground terms in 
TZ-normal form A and B, 

1. if p = DP{TZ, t{e)), then t[A]p9l. = t[J-type(^t)]p(^l ® ^ 

2. if p = UP{TZ,t{e)), thent[A\p9f = A®t[Afypf,(f'^]p9f 

3. if p = UCP{TZ,t[e)), then t[AiS) B]p6f = t[A]p6fiT^t[B]p6f 
4- if p = DCP{TZ,t{e)), then t[A 1^1 B]p9f = t[B]p6l 1^1 t[A]p9l 



Partition Sets. At the second step, we have to know how each function symbol 
argument is moved at each step of rewriting sequence of a ground instance t9 of 
a term t. The mechanism is directly based on the argument positions as defined 
above, since they point out the subterms of t that will constitute identified parts 
- by lemma 1 - of t9f. To construct the path leading to the innermost subterms 
that participate to the “head” or to the “tail” of tOf we follow recursively the 
tree representing t . 

Definition 9. Let TZ he a monomorphic rewrite system, let t he a term. The 
maximum top path oft, denoted by TP{t), and the maximum bottom path oft 
denoted hy BP{t), are computed recursively by the following functions. 

Function TP(t) : path 

Let / := t{e); 

For all q & Pf 

If (g = RA{TZ, /)) or (g = UP{TZ, /)) or (g = UCP{TZ, /)) Then 
Return q.TP{t/q); 

Else If g = DCP{TZ, f) Then Return q.BP{t/p)] 

Return s; 
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Function BP(t) : path 

Let / := t{e); 

For all q G Pf 

If (g = RA{TZ, /)) or (g = DP{TZ, /)) or (g = UCP{n, /)) Then 
Return q.BP{t/q); 

Else If g = DCP{TZ, f) Then Return q.TP{t/p); 

Return s; 

Example 6. ap{r{ap{l,n)),R{n,l)) 

- TP{ap{r{ap{l,n)), R{n,l))) = lTP{r{ap{l,n))) = llBP{ap{l,n)) = 112BP{n) 
= 112 

- BP{ap{r{ap{l,n)), R{n,l))) = 2BP{R{n,l)) = 22BP{1) = 22 
Example 7. x * m{y, z + x) 

- TP{x * m{y, z + x)) = 2TP{m{y, z + x)) = 22BP{z + x) = 221BP{z) = 221 

- BP{x * m{y, z + x)) = 2BP{m{y, z + x)) = 22Tp\z + x) = 222Tp\x) = 222 

We are now ready to specify the “heads” and the “tails” of the normal forms 
of the ground instances of a term t having a top or a bottom path. To represent 
these parts of every tO]., we compute terms of which ground instances in normal 
form will be at the head or at the tail of t0],. These terms are built up recursively 
following a top or a bottom path. 

Definition 10. Let TZ he a monomorphic rewrite system, let t be a term, and let 
p he a top path (resp. a bottom path). The head part denoted by top{t,p) (resp. 
the tail part denoted by bot(t,p)) is the term computed as^ 



g = RA{n,t{e)) top{t,q.p) = t[top{t/q,p)]g 
q = DP{TZ, t{e)) 

g = UP\n,t\e)) ^ top{t,q.p) = top{t/q,p) 
q = UCP{TZ,t{e)) ^ top{t,q.p) = t[top{t/q,p)]g 
q = DCP{n,t{e)) top{t,q.p) = t[bot{t/ q,p)]g 
top{t, e) = t 



bot{t,q.p) = bot{t/q,p) 
bot{t,q.p) = bot{t/q,p) 

bot{t,q.p) = t[bot{t/q,p)]g 
bot{t,q.p) = t[top{t/q,p)]g 
bot{t, e) = t 



The complement of the head part denoted by ntp{t,p) (resp. the complement of 
the tail part denoted by nbt{t,p)) is the term computed as 



q = RA{TZ,t{s)) ntp{t,q.p) = ntp{t/q,p) 
q = DP{TZ, tie)) 

g = UP\n,t\e)) ntp{t,q.p) = t[ntp{t/q,p)]g 
q = UCP{TZ,t{s)) ^ ntp{t,q.p) = t[ntp{t/q,p)]g 
q = DCP{TZ,t{e)) ntp{t,q.p) = i\nbt{t/q,p)]g 

ntpi^t, e) = 2-type{t) 



nbt{t,q.p) = t[nbt{t/q,p)]g 
nbt(t,q.p) = t[nht(t/q,p)]g 

nbt{t,q.p) = t[nht(t/q,p)]g 
nbt{t,q.p) = t[ntp{t/q,p)]g 
nbt(t, e) 



The following definition and proposition implement the concept of term partition. 



4 



The way to compute top and bot is similar to function TP and BP. The presentation 
is different to reduce the size of the definition. 
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Definition 11. Let t he a term, then the partition set of t, denoted DEC{f), is 
{{top{t,p), ntp{t,p)i) I p < TP{t)}yj{{nbt{t,q)i, bot{t,q)) \ q < BP{t)} 



Proposition 1. Every element of DEC (t) is a partition oft. 

Example 8. Consider the term t = ap{r{ap{l,n)), R{n,l)) and the path 11 < 
TPff). 

- top{t,ll) = top{r{ap{l,n)),l) = r{hot{ap{l,n),e)) = r{ap{l,n)) 

- ntpft, 11)4, = ap{ntp{r{ap{l, n)), l),R{n, I))), = av(r( nbt (ay{l, n),s)), R{n, Z))), 
= ap{r{0), R{n, I))), = R{n, 1) 

Thus, {r{ap{l,n)), R{n,l)) is a partition of t. 

Example 9. Consider the term t = x * m{y, z + x) and the path 222 < BP ft). 

- nhtft, 222)4, = (x * nfbtfmfy, z + x), 22))4, = {x * m{y, ntp{z + x, 2)))4, 

= (a; * mfy, z + ntp{x, e)))4, = (a; * rn{y, z + 0))l. = x * mfy, z) 

- bpt{t, 222) = X * bot{m{y, z + x),22) = x * mfy, top{z + x, 2)) 

= a: * m{y,top{x,e)) = x * m(y,x) 

Thus, (x * mfy, z), x * mfy, a;)) is a partition of s. 



Patterns. In some cases. Definition 10 does not provide us with a suitable term 
partition. A reason for this is that {(t, T),(T, f)} may be the only elements 
of DEC ft). Another reason is that the type of the arguments of some function 
symbols (e.g. e, SI, ...) cannot be specified® . A pattern of t is computed using 
a partition of the instances of t obtained by replacing a variable in t by a non- 
constant element of the test set. 

Definition 12. Let TZ is a monomorphic rewrite system, t be a term, C[y] € 
TSfR), and p € domff). The left-pattern (resp. the right-patternj oft, denoted 
lpatft,p,C[y]) (resp. rpatft,p,C[y])), with respect to C[y] and p is the term a 
such that {a, t[y]p) (resp. ft[y]p, a)) is a partition of t[C[y\\pf. 

Example 10. Consider the term t = x * {x * x). Assume that s{y) € TSfR). 
We then have t[s{y)] 22 i = x * {{x * y) + x). Since ntp{x * ((x * y) + a;), 22)4, = 
(x * ((x * y) + 0))4, = X * {x * y) = t[y]22, the left-pattern of t at position 22 is 
top{x * ((a; * j/) -I- a;), 22) = x * x. Thus, for any ground substitution 0 we get: 

tOf = {x*x)6l(Si. . .(D(a;*a;)04-C)(a;*(x*O))d4' with (x * x)6l repeated \x9\,\ times. 

Example 11. Consider the term t = r(ap(l, r{l))). Assume that c.x £ TSfR). We 
then have t[c.y]ii], = apfr{apfy, r{l))), c.0). Since top{apfr{apfy, rfl))), c.0), 1) = 
the right-pattern of t at position 11 is ntp{ap{r{apfy,r{l))),c.0),ll)f = 
ap{0,c.0)f = c.0. Thus, for any ground substitution 9 we get: 

t9l = r{ap{0, r{l)))f 0 ci.0 0 ... 0 c„.0 with Wf = ci c„.0. 



Of course, definition 10 can handle these functions if they do not occur at the root. 



5 
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Theorem 2. Let TZ he a monomorphic system and t = s be an equation. Assume 
that there is a pair {p, q) G {dom{t) , dom{s)) such that tfp =ind(TZ) s/q. 

- If for all C[y] G TS{U) one has lpat{t,p,C[y\) =^nd(n) lpat{s,q,C[y]) or 
rpat{t,p,C[y]) =ind(n) Tpat{s,q,C[y\) then, 

I ind{iz) ^ if and only z/ ind{TZ) '^[-^type(t)]q- 
Similarly, if ind{iz) ^[-^type(s)]q' then, t ind{TZ) ^ ^f ^'^d only 

if for all C[y] G TS{TZ) one has lpat{t,p,C[y]) =ind(n) ^at{s,q,C[y\) or 
rpat{t,p,C[y]) =^nd(n) rpat{s,q,C[y]). 

Proof. Let 0 be a ground substitution, t/p =md{n) s/P implies {t/p)9], = {s/q)0f. 
Let >1 be a ground term in 7^-normal form such that A = (t/p)9f. Since TZ is 
ground convergent, we get, by substitution property, that tOf = t0[(t /p)0l.]pl. = 
t9[A\pf. Similarly s0f = s0[A\qf. We proceed by induction on the structure of A 
(remember TZ is monomorphic and then sufficiently complete, so ^ G T{Ctz)) 

- Basis case: t[±]p =ind(n) s[-L], implies t0[l.]pi = s0[±]qi. 

- Induction case: for all Ad such that A = C[A'] we have that 

• either lpat{t,p, C[y])0l = lpat{s, q, C[y])0l = B and t0f = t0[C[A'f\p\. = 
B ® t0[A']pf. Similarly, s0f = B ® s0[A']54') 

• or rpat{t,p,C[y])0], = rpat{s,q,C[y])0], = B and t0\, = = 

t0[A']pf ® B. Similarly, s0f = s0[A']qf ® B. 

Therefore, by induction hypothesis t9[A']pf = .s0[A']qf. 

And 'iC[x\, lpat{t,p,C[x\) =ind(n) lpat{s,q,C[x\) or rpat{t,p,C[x\) =^nd{n) 
rpat{s, q, C[x]) implies t =,nd{n) s if and only if t[±]p =ind(n) s[-L]</- □ 

6 Organizing the Inductive Proofs 

In this section we show how to organize inductive proofs. Assume we are working 
with a monomorphic TZ (see Sect. 2). To verify whether t =ind{Ti) s we run the 
following procedure: 

Function inductive(t = s) : boolean 

If tf = sf Then Return TRUE; 

If vars{f) = 0 and vars{s) = 0 Then Return FALSE; 

For all (a, b) G DECff) and all (c, d) G DEC{s) 

If a = c Then Return inductive(6 = d); 

If 6 = d Then Return inductive(a = c); 

For all p G dom{t) and all q G dom{s) with t/p = s/q 
If VC[x] G TS{TZ). pat(t,p,C[x]) yf null Then 

If VC[x] G TS{TZ). pat(t,p, C[a:]) = pat(s, g, C[a:]) Then 
Return inductive(t[_Liypgpj]p — s[_L^ypgp^]g), 

Else If t [J-^ypgp^jpf = s[_L^ypgp^]gf Then 

Return VC'[a;] G TS'(7?.). inductive(pat(t,p, (^[a;]) = pat(s, q, C[a;])); 
Return inductive(GEN(t = s)); 



In the proofs, since we deal with only one sort, we note T the constant of that sort. 
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To compute patterns, we define one function that returns the term and the 
side (left or right) defining the pattern. In the inductive function defined above, 
the equality test (=) compares both terms and sides but the inductive call on 
patterns is only applied on terms^. 



Function pat(t, p, C[x]) : (side, term) 



For all (a, b) G DEC{t[C[x]]pi) 

If a = t[x]p Then Return {right, b); 
Else If 6 = t[x]p Then Return {left, 
Return nulh, 



Let us illustrate how our framework su cceeds in some hard examples: 
Example 12. Consider the equation t = s: ap{r{l),ap{l,l)) = ap{ap{r{l),l),l) 

- {nbt{t,l)\., bot{t,l)) = {r{l), ap{l,l)) G DEC{t) 

- {nbt{s,ll)]., &ot(s, 11)) = {r{l), ap{l,l)) G DEC{s) 



Example 13. Let t = s he r{ap{l,l)) = ap{r{l),r{l)) 

- {nbt{t,ll)f, bot{t,ll)) = {r{l), r{l)) G DEC{f) 

- (top(s,l), ntp{s,l)\f) = {r{l), r{l)) G DEC{s) 



In the two examples above, we get two partitions {a, b) of t and (c, d) of s such 
that a = c, so the inductive procedure is called again on b and d which are also 
syntactically equal. 

Example I 4 . Let t = s be R{1,0) = r{l) . With patterns, t[c.l']if = R{l',c.0) 
and s[c.l']i\. = ap{r{l'),c.0), then 

- {nbt{t[c.l']if,2)f, bot{t[c.l']if,2)) = {R{1',0), c.0) and 

- {top{.s[c.l']ii,l), ntp{s[c.l']ii, l)i) = {r{l'), c.0). 

Since R{0, 0)i = r{0)f = 0, we get that t =md(n) s. 

We get two right-patterns syntactically equals (c.0), so the inductive procedure 
is called again on the base cases {R{0, 0 ) and r(0)) of which normal forms are 
equal to 0. 

Example 15. Let r = I he 

- {top{r, 1221), ntp{r, V221)f) = {s{m{x, e{x, y))), x + m{x, 0 + g)) € DEC{r) 

- {top{l, 1211), ntp{l, 1211)4,) = {s{m{x, e{x, y))), m{x, s(0) -I- y)) G DEC{1) 
We have now to prove r' = I': x + m{x, 0 -I- y)) = m{x, s(0) -I- y) 

- {top{r',22), ntp{r' ,22)]f) = {m{x,y), x) G DEC{r') 

- {top{l',22), ntp{l' ,22)1) = {'n^{x,y), x) G DEC{1') 

In this example, induction procedure simply uses two couples of partitions. 
Example 16. Let r = Ihe E{x) = EI{x,0) , With patterns, r[s(y)]i4, = s{y) + 
E{y) and ^[s(y)]i4, = EI{y, s(0 -k y)) then 

- {top{r[s{y)]ii,2), ntp{r[s{y)]ii,2)i) = {S{y), s{y)) and 

^ In an actual implemented algorithm, we can, for more efficiency, compute DEC sets 
just once for every term or patterns. We can also, not compute patterns for every 
position in dom but just for inductive positions as defined in [14]. 
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- {nbt{l[s{y)]ii, 211)1, bot{l[s{y)]ii,211)) = {SI{y,0), s(0 + y)). 

Since = SI{0, 0)| = 0, we have to verify r' = I': s{y) =ind{n) s(0 + y). 

Since (s(j/), 0) is a common partition of r' and V , we get that r =ind(TZ) I- 

We get two right-patterns (s{y) and s{0 + y)) syntactically different but two base 
cases (-b'(O) and Z'/(0,0)) of which normal form are equals, so the procedure is 
called on the two patterns. These patterns are proved inductively equal with a 

simple partition. 

Example 17. Let r = / be {x * x) * {x * x) = x * {x * {x * x)) . With patterns, 

'r[s{y)] 22 i = {x * x) * {x * y + x) and l[s{y)] 222 i = x * {x * {x * {y + a;))), then 

- {nbt{r[s{y)] 22 i, 222)1, bot{r[s{y)] 22 i, 222)) = ((x * x) * x, {x * x) * {x * y)) 

- {nbt{l[s{y)] 222 i, 2222)4., bot{l[s{y)] 222 i, 2222)) = {x * {x * x), x * {x * {x * y))). 
Since {{x * x) * {x * 0))), = {x * {x * {x * 0)))J, = 0, we have now to verify r' = I': 
(x * x) * X = X * (x * x). 

With patterns, r'[s(y)]24. = x* (x*y + x) and l'[s{y)] 22 i = x*{x*{y + x)), 

- {nbt{r'[s{y)] 2 i, 22)4_, bot{r'[s{y)] 2 i, 22)) = (x * x, {x * x) * y) and 

- {nbt{l'[s{y)] 22 i, 222)1, bot{l'[s{y)] 22 i, 222)) = {x*x, x*{x*y)). 

Since {{x * x) * 0)), = {x * {x * 0))), = 0, we get that r =ind(n) b 

Again, we have two patterns different but two base cases equal (w.r.t. TZ), so the 
procedure is called on the two left-patterns ((x * x) * x and x * (x * x)). These 
new terms share a common left-pattern (x * x), so the procedure is called again 
on the base cases ( (x * x) * 0 a.nd x * (x * 0)) of which no rmal forms are equal. 
Example 18. Let r = I he e{x,y + z) = e(x,y) * e(x, 2 ;) . Since no partition or 

pattern can be defined, we apply GEN function. We get the equation r' = I': 

(e(x, y) * e(x, z)) * x = e(x, y) * (e(x, z) * x). With patterns, 

- r'[s(x')] 2 i = ((e(x, y) * e(x, z)) * x') + (e(x, y) * e(x, z)) and 

- l'[s{x')] 22 l = e(x, y) * ((e(x, z) * x') + e(x, z)) 

We then have lpat{r' , 2, s(x')) = e(x, y) * e(x, z) = lpat{l' , 22, s(x')). Thus, since 
((e(x, y) * e(x, z)) * 0)), = (e(x, y) * (e(x, z) * 0))). = 0, we get that r =^nd(n) b 

The last example represents x*^+^ = x^ * x^. The function GEN applied on 
variable z returns only one equation (since e{x,y + 0)), = {e{x,y) * e(x,0))4, = 
e{x,y)). The both sides of this equation r' = I' share a common left-pattern 
(e(x, y) * e(x, z)), so the procedure is called again on the two base cases (e(x, y) * 
e(x, z)) * 0 and e(x, y) * (e(x, z) * 0). Since their normal forms are equal to 0, the 
conjecture r = Hs an inductive theorem. 

7 Conclusion 

We have presented in this paper a new method to construct proofs that usually 
require mathematical induction with strong generalized hypotheses and addi- 
tional lemmas. The method is simple and allows us to obtain very elegant and 
natural proofs. We know how to handle simple fragments of arithmetic and how 
to apply the method to proofs of properties of programs computing over lists. 

The method has some limitations, however. The requirement on the monomor- 
phic rewrite systems must be generalized to handle general recursive definitions. 
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Further, we do not treat multiple conjectures whose proofs use each other in a 

mutually recursive fashion. Finally, most nontrivial program proofs involve con- 
ditional reasoning: it may be possible to generalize this method in some simple 

cases. An implementation of the method in the NICE-system has been realized®. 
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Abstract. The equational prover of the Theorema system is described. 
It is implemented on Mathematica and is designed for unit equalities in 
the first order or in the applicative higher order form. A (restricted) usage 
of sequence variables and Mathematica built-in functions is allowed. 



1 Introduction 

The Theorema^ system [7] is an integrated environment for proving, solving 
and computing built on the top of Mathematica [32] . It is based on early papers 
by Buchberger (e.g. [5,6]) and provides a front end for composing formal mathe- 
matical text consisting of a hierarchy of axioms, propositions, algorithms etc. in a 
common logic frame with user-extensible syntax, and a library of provers, solvers 
and simplifiers for proving, solving and simplifying mathematical formulae. 

The equational prover of Theorema is one of such provers, designed for unit 
equality problems in the first order or in the applicative higher order form. The 
input may contain sequence variables. A (restricted) usage of Mathematica built- 
in functions is allowed. The prover has two proving modes: unfailing completion 
[3] and simplification (rewriting/narrowing). It consists of the preprocessor, the 
kernel and the proof presenter parts. The preprocessor checks the input syntax, 
sets option values, Skolemizes, chooses a proving mode, an ordering and passes 
the preprocessed input to the kernel. The kernel runs a proof procedure with the 
chosen settings and passes the output to the proof presenter, which structures 
it, deletes redundant steps, introduces lemmata and constructs the proof object. 

2 Proof Procedure: Algorithm and Implementation 

The unfailing completion procedure is implemented as a given-clause algorithm 
[23], where proof search is organized as a Discount [1] loop. The input of the 
procedure is a set of (implicitly) universally closed equalities £, a ground goal Q 
and a (ground total) reduction ordering >, which can be either the lexicographic 
path ordering (LPO), Knuth-Bendix ordering (KBO) or the lexicographic exten- 
sion of the multiset path ordering with sequence variables (MPOSV [18]). Before 

* Supported by the Austrian Science Foundation (FWF) under Project SFB F1302. 

^ http://www.theorema.org/. 

R. Nieuwenhuis (Ed.): RTA 2003, LNCS 2706, pp. 367-379, 2003. 
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calling the completion procedure, we Skolemize all equations in the given prov- 
ing problem. If the equation in the hypothesis contains existentially quantified 
variables, we proceed in a standard way introducing a new function symbol 
eq and two new constants, true and false. Then we add two new equations 
eq{x,x) = true and eq{s,t) = false to £, where a; is a variable and s and t are 
sides of the hypothesis, and true = false becomes a goal. 

The proving procedure saturates £ and works on a set of active facts A, 
participating in the inference, and on a set of passive facts V, waiting to become 
members of A. The completion loop is shown on Fig. 1. It is essentially the same 
as the loop Waldmeister implements (see [20]). 



Algorithm 1. Completion Loop 
Function ProveByCompletion(T, Q,>) 

1: {A,V)~{9,£) 

2: while -itrivial(C/)AT’ 0 do 
3: e-.=Select{r);V :=r\{e} 

4: if -iorphan(e) then 

5: e :=Normalize^(e) 

6: if -iredundant(e) then 

7: (.4, T’i):=Interred^(^, e) 

8: .4 := .4 U {Orient^(e)} 

9: P 2 ~CP>{e,A) 

10: P PuNormalize^(Pi U P 2 ) 

11: Q :=Normalize^(C7) 

12: end 

13: end 

14: end 

15: return trivial]!/) 



Fig. 1. Main loop for proving by unfailing completion mode. 



The predicate trivial on line 2 is true on an equality s = t iff s and t 
are identical. The function Select on line 3 decides which equality should be 
selected from passive facts for activation. It has to guarantee that every passive 
fact eventually becomes active, thus ensuring the fairness of the procedure. This 
function selects a fact with the minimal weight. If there are several such facts, 
then it chooses the oldest one. Moreover, once in each five iterations Select takes 
the smallest fact where false occurs, if there is such a fact in P^. The predicate 
orphan on line 4 is true on e iff a parent equation of e has been reduced. The 
predicate redundant on line 6 is true on e iff either e is trivial, is subsumed by 
an equation in A or is ground joinable. The interreduction function Interred 
on line 7 takes active facts that are reducible by e out of A and puts them into 
Pi- The Orient function on line 8 orients e with respect to >, if possible. The 
function CP on line 9 generates all possible critical pairs between e and A. The 



^ Barcelona and Fiesta implement such a selection criterion [26]. 
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function N ormalize does normalization with the active facts only. Passive facts 
are normalized only on their generation and after selection. 

We store P as a heap of heaps, following the Waldmeister approach. It 
allows efficient “orphan murder” and fast selection of the minimal equation. We 
use Mathematica arrays to implement the heap. Terms are kept as stringterms. 

Normalization of the selected equation, new critical pairs or the goal, using 
active facts, is an example of forward simplification. Since the set of active facts 
grows larger and larger, fast identification of the appropriate fact for rewriting 
(generalization retrieval) becomes crucial. There are various indexing techniques 
suitable for this operation, like code trees [30], substitution trees [14], context 
trees [12] or various versions of discrimination trees [9,22,15]. However, in our 
case, instead of implementing an indexing technique, we decided to rely on Math- 
ematica rewriting tools, as its programming language is a rewrite language [4]^. 
This approach is similar to what Stickel proposed in [27] , using the Prolog imple- 
mentation technology for model elimination. We call it Mathematica Technology 
Term Rewriting (MTTR) and show on the example below how it works. 

Let R and E be respectively the set of rules and the set of equations in A. As- 
sume we have a rule for the associativity law in R: /(/(x, y), z) — >■ f{x, f{y, z)). 
Every active and passive fact has its unique label, an integer associated with 
it. Let the label for the rule above be 5. Then we transform the rule into a 
Mathematica assignment as follows: First, we normalize the variable names and 
transform each variable in the left hand side of the rule into Mathematica pat- 
terns getting f [f [xl_, x2_], x3_]. Next, we make the Mathematica assignment: 
f [f [xl_, x2_], x3_, _ : {5}] :=(AppendTo[$LABELS, {5}]; f [xl, f [x2, x3]]) /; 

($PHASE === “Rewriting") 

where SLABELS is a global variable, initialized with the empty list every time 
before normalizing a term. After a term is normalized, SLABELS stores the list 
of labels of those active facts which participated in the normalization. In the 
condition, $PHASE is a global variable specifying the deduction phase. It pre- 
vents unexpected evaluations. In the example above, the assignment becomes 
applicable only at the “Rewriting” phase and not, for instance, at the “Subcon- 
nectedness checking” phase, where we only need reducibility. The entire main 
loop runs in the “Neutral” phase, switching to the specific phases when needed. 

Transformation of equalities from E into delayed assignments is done in the 
similar manner, but we add the ordering check additionally. For instance, an 
equality f{x,f{y,z) = f{y,f{z,x)) is transformed into two assignments: 
f[xl_,f[x2_,x3_],_: {“L",6}] := 

(AppendTo[$LABELS, {“LR", 6}]; f [x2, f [x3, xl]])/; 

($PHASE ===" Rewriting"A$GREATER[f [xl, f [x2, x3]] , f [x2, f [x3, xl]]]) 

f[xl_,f[x2_,x3_],_ : {“RL",6}] := 

(AppendTo[$LABELS, {“RL", 6}]; f [x3, f [xl, x2]])/; 

($PHASE === “Rewriting" A $GREATER[f [xl, f [x2, x3]], f [x3, f [xl, x2]]]) 

® We tried to implement discrimination trees, but since the low-level programming 
capabilities are very restricted in the high-level Mathematica programming language, 
which itself is not very fast, we did not get a reasonable performance. 
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where $GREATER is a global variable whose value is the function specifying the 
given reduction ordering. We make sure that for equalities like the commutativity 
law, only one delayed assignment is made, instead of two. Note that MTTR 
approach treats constants as nullary function symbols. 

When we need to rewrite a term t in a phase p, we simply call the function 
rewrite on t and p. rewrite is implemented as follows: 

Clear [rewrite] ; 

rewrite [term_, phase.] := Module[{ans}, 

With[{y = SSIGNATURE}, $PHASE = phase; Map[Update, yjj; 
ans = term; $PHASE = ’’Neutral”; ansj; 
where $S1GNATURE is a global variable whose value is a list of all constants and 
function symbols occurring in the problem. 

MTTR is probably one of the fastest ways of doing rewriting in Mathematica, 
but it has disadvantages as well, namely, we have minimal control on rewriting 
strategies, can not keep track of results of single rewrite steps, and should put 
additional control to prevent unexpected evaluation. 

We found useful to use Mathematica matching mechanism in forward sub- 
sumption as well, which is one of the redundancy criteria for the selected equa- 
tion. Another redundancy criterion is the ground joinability test [2], implemented 
for associative-commutative symbols only: we add to the active facts a ground 
complete subset for an AC symbol / consisting of AC axioms and the additional 
equation f{x,f{y,z)) = f{y,f{x,z)). Any other equation joinable modulo AC 
can be deleted. Such an equation is called ground joinable. To test ground join- 
ability we use the following trick: for each AC symbol f we create a new func- 
tion symbol nf, make a list of transformation rules $AC-SYMB0LS={f — >■ nf , . . .} 
and set attributes of nf to {Flat, Drderless, Oneldentity}. Then testing 
whether s=t is ground joinable reduces to testing whether s/ . $AC-SYMB0LS and 
t/ . $AC-SYMB0LS are identical"*. 

Mathematica delayed assignment rules are employed also in caching for term 
orderings. The orderings like LPO or MPOSV compare the same term pairs many 
times. To avoid a repeated work we store the result of comparison between two 
terms s and t as cachedComparison [s ,t] : =result, where result is either True 
or False and look it up whenever s and t have to be compared again®. 

With interreduction and critical pair generation the situation becomes more 
complicated. Here we need to perform instance and unifiable retrieval on the set 
of active facts. Mathematica does not provide mechanisms which would make 
possible to implement these operations in the same spirit as we did for general- 
ization retrieval. In order to perform instance retrieval in more or less reasonable 
way, we had to implement some kind of indexing for the terms in active facts. 
We chose path indexing [28], because it does not involve backtracking, insertion 
and deletion can be done more efficiently than for other indexing techniques, is 
economical in terms of memory usage, and is useful for retrieving instances (see 
[25]). One of the main disadvantages of path indexing is that it requires costly 



^ in Mathematica / . is a short notation for the function ReplaceAll. 

® The idea of caching was implemented earlier in Dedam by RPO caching [26]. 




Equational Prover of Theorema 371 



union and intersection operations to combine intermediate results. We use Math- 
ematica built-in functions Union and Intersection for these operations. 

The main loop for proving by simplification, unlike Algorithm 1, does not 
perform interreduction and orphan testing, and does not generate critical pairs 
unless at least one of the parent equations contains a term with the head eq. The 
simplification mode has one more specific feature: optionally, all equations can 
be oriented from left to right. In this case, of course, termination of rewriting is 
not guaranteed and the prover issues the corresponding warning. 

3 Extensions 

3.1 Sequence Variables 

A sequence variable is a variable that can be instantiated with an arbitrary finite, 
possibly empty, sequence of terms. To distinguish, we call ordinary variables 
individual variables. Sequence variables are allowed to appear only as arguments 
of flexible arity symbols. The main difficulty in deduction with sequence variables 
is infinitary unification, even in the syntactic case ([19]). However, it was shown 
to be decidable in [17] and a theorem proving procedure with constraints a la 
Nieuwenhuis/Rubio [24] was proposed in [18]. 

The equational prover of Theorema implements unfailing completion with 
sequence variables, occurring only in the last argument positions in terms (as, 
e.g. in f{a,f{x,x),g{x),y), where x and y are sequence variables). It makes 
unification unitary. A rule-based unification algorithm is shown on Fig. 2. 



Algorithm 2. Unification with sequence variables in the last argument positions 
Function unify(s,t), s and t are not sequence variables 
1 : unify(t,t) := {} 

2 : unify(a;, t) :={*<—!} if x ^ t and x ^ vars{t) 

3: unify(t, x) := {a; <— t} if x ^ t and x ^ vars{t) 

4: unify(/(s, s), f{t, t)) ~ if <t = unify(s, t) and a 7 ^ fail 

compose(n, unify(/'(s)cr, /'(t)cr)) 

5: unify(/(a;), f{i)) := {a; <— f} ifx^i and x ^ vars{i) 

6 : unify(/(f), f{x)) := {a; •«— f} ifx^i and x ^ vars{i) 

7: unify(s,t) := fail otherwise 



Fig. 2. Unification for terms with sequence variables in the last argument position 



The input of the algorithm are two terms, which are not sequence variables 
themselves and all occurrences of sequence variables happen only in the last 
argument positions of subterms. The compose function on Line 3 returns fail, 
if at least one of its arguments is fail, otherwise it composes substitutions in 
its first and second arguments, s and t denote arbitrary finite, possibly empty, 
sequences of terms. vars{t) (resp. vars{t)) is a set of all individual and sequence 
variables of a term t (resp. sequence of terms t). x is an individual variable, x 
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is a sequence variable. The function symbol f' on line 4 is a new flexible arity 
symbol, if the symbol / on the same line has a fixed arity, otherwise /' and / 
are the same. The function symbol / on 5 and 6 has a flexible arity. 

In the simplification mode we use sequence variables without any restrictions 
on their occurrence. It means that in this case unification is inflnitary and match- 
ing is flnitary. For the moment we do not allow existential goals in this setting, 
and therefore unification problems do not appear. As for matching/rewriting, 
MTTR follows the Mathematica strategy, choosing from the finite alternatives 
the matcher that assigns the shortest sequences of terms to the first sequence 
variables that appear in the pattern®. 

Unrestricted quantification over sequence variables takes the language be- 
yond first-order expressiveness. In [17] we considered an extension of the lan- 
guage with constructs called pattern-terms, which abbreviate term sequences of 
unknown length matching certain “pattern”, like, for instance, all the terms in 
the sequence having the same arguments, but different top function symbols. 
Such pattern-terms are naturally introduced via Skolemization. In the unfailing 
completion mode of the prover we allow pattern-terms to occur only in the last 
argument positions in terms whose top function symbol has a flexible arity. A 
pattern-term can be unified only with a sequence variable which does not occur 
in it, or with an identical pattern-term. 

The MTTR technique has to be extended to terms with sequence vari- 
ables and pattern-terms. First, each sequence variable should be transformed 
into the corresponding pattern (an identifier with three underscores). Second, 
since individual variables match neither sequence variables nor pattern-terms, 
we have to restrict Mathematica patterns that correspond to individual vari- 
ables. Thus, a term f{x,f{g{x)),x), where a; is a sequence variable, g{x) is a 
pattern-term and x is an individual variable, will be transformed into the pattern 
f [xlA-iMatckQ)^, .var[.seq[_]j] A -iMatchQ)^, .seq[_]]&, .seq[g[x2 ]], x2 j’^. 

We also extended the path indexing technique to index terms with sequence 
variables and pattern-terms in the last argument positions. However, more effort 
has to be made here to improve efficiency of retrieval operations. 



3.2 Problems in Applicative Higher Order Form 

Warren introduced in [31] a method to translate expressions from higher order 
applicative form into first order syntax, preserving both declarative and narrow- 
ing semantics [13]. With this translation, for example, the higher order equa- 
tion twice{F){X) = F{F{X)) is translated into the equations twice{F,X) = 
apply{F,apply{F, X)), apply (twiceo, F) = twice\{F), apply {twicei(F), X) = 
twice{F, X), where apply is a new binary function and twiceo and twicei are new 

® Recently, [21] proposed an approach to gain more control on rewriting with sequence 
variables in Mathematica. 

^ .var and .seq are Theorema tags respectively for variables and for sequences. 
.var[.seq[_]] is a Mathematica pattern which can match any Theorema sequence 
variable and .seq[_] can match any Theorema pattern-term. 
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constructors representing partial applications. Since Theorema syntax allows 
higher order expressions, the equational prover can accept such an input. Then 
the input is translated by Warren’s method into the first order form, on which 
the proving procedure is applied. The output is translated back into higher order 
form. Thus, the user sees only higher order input and output. 

Optionally, if the proving mode is simplification and the goal is universal, 
MTTR can be applied immediately, without Warren’s translation, because the 
Mathematica programming language supports rewriting with higher order con- 
structs. In this case currently the equalities are oriented from left to right, but 
we intend to implement HORPO [16] as well. 

At the current stage sequence variables and pattern-terms can be used in 
higher order problems only in the simplification mode with universal goals. 



3.3 Using Mathematica Built-in Functions 

We incorporate Mathematica built in functions in the proving task in the follow- 
ing way: On the one hand, to be interpreted as a Mathematica built-in function 
it is not enough for a function in the proving problem to have a syntax of a 
Mathematica function. It has to be stated explicitly that it is a built-in function 
(Theorema has a special construct built-in for that). Moreover, a function 
can get its built-in meaning only when it appears in the goal. After normaliza- 
tion, the goal is checked on joinability modulo built-in meaning of the Mathe- 
matica functions in it, but the built-ins are not used to derive new goals. On the 
other hand, the approach is not completely sceptical: after a built-in function is 
identified, it is trusted and the result of computation is not checked. Therefore, 
when Mathematica functions are involved in the task, in the prover output it is 
stated: “If the built-in computation is correct, the following theorem holds...”. 
The integration tool is still at the experimental level and needs further develop- 
ment, e.g. integrating existing frameworks of combining computer algebra and 
theorem proving/rule based reasoning (with [8] as a particular example). 

4 Proof Presentation 

We use the Proof Communication Language (PCL) [11] to describe proofs. A 
slight modification is needed to represent reduction steps, because MTTR does 
not show intermediate rewriting results. Proofs are structured into lemmata. 
Proofs of universally closed theorems are displayed as equational chains, while 
those of existential theorems represent sequences of equations. The symbols eq, 
true and false are not shown. In failing proofs, on the one hand, the theorems 
which have been proved during completion are given, and on the other hand, 
failed propositions whose proving would lead to proving the original goal are 
displayed, if there are any. They are obtained from descendants of the goal and 
certain combinations of their sides. 
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5 Examples 

Example 1 (Insertion sort). This is an example of using sequence variables and 
Mathematica functions. The assumptions specify the insertion sort: 
Assumption[“l", V(insert[n, ()] = (n))] 

n 

Assumption[“2", V _( insert [n, (m, x)] = 

n,m,x 

prepend[max[m, n], insert [min[n,m], (x)]])] 
Assumption[“3", sort[()] = ()] 

Assumption[“4", V_(sort[(x, y)] = insert[x, sort[(y)]]) 
x.y 

Assumption[“5", V_(prepend[x, (y)] = (x, y))] 
x.y 

where min and max are interpreted as the Mathematica Min and Max functions: 
Built-in [“MinMax", 
min -> Min “Minimum" 
max — > Max “Maximum"] 

We would like to prove the following proposition: 

Proposition[“sort", 3(sort[(l, 3, 2.4, — 4)] = (x))j 

X 

The equational prover is called to prove the proposition under the given 
assumptions and built-ins. In addition, numbers are treated in the Mathematica 
built-in way and all the equations are oriented from left to right: 

Prove[Proposition[“sort"j, using — >■ {Assumption[“l"], Assumption[“2"j, 
Assumption[“3"], Assumption[“4"j, Assumption[“5"]}, 
by — > EquationalProver, 

built-in— !-{Built-in [“MinMax"], Built-in [“Numbers"]}, 
ProverOptions — > {EqPrOrdering — >■ “LeftToRight"}] 

The output of the prove call is placed in a new notebook. Theorema dis- 
plays it in an elegant way, with natural language text, hierarchically nested cells, 
hyperlinks, colors, etc. We show the (final part of the) generated proof below ®: 



To prove (Proposition (sort)), we have to find x* such that 
(1) sort[(l,3,2.4,-4)] = (r). 

We will use the following assumptions, referring to them as axioms: 
(Axiom 1) sort[Q] = (). 

(Axiom 2) V {insert[xl, ()] = (a;!)). 

xl 

(Axioms) \/_{]jrepend[xl, (x2)] = (xl,x2)). 

xl,x2 



Koji Nakagawa provided a tool to translate the proofs from the Theorema proof 
format into fATf^X form. 
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(Axiom 4) V_(sori[(a;l, x2)] = insert[xl, sort[{x2)\\). 

xl,x2 

(Axiom 5) V {insert[xl, {x2, x3)] = 

xl^x2^xZ 

prepend[max[x2, xl ] , insert[min[xl, x2] , (a:3)]]) . 

We choose 

X* = Sequence[i, 2.4, 1, —4] 

and show that the equality (1) holds for this value (assuming that the built-in 
simplification/decomposition is sound): 

(Theorem ) sort[{l, 3, 2.4, -4)] = (3, 2.4, 1, -4). 

Proof. 

sort[(l,3,2.4,-4)] = (3,2.4,l,-4) 

if and only if (by ( Axiom 4 ) LR, ( Axiom 4 ) LR, ( Axiom 4 ) LR, ( Axiom 4 ) 
LR, ( Axiom 1 ) LR, ( Axiom 2 ) LR ) 

insert[l, insert[3, insert[2A, (—4)]]] = (3, 2.4, 1, —4) 

if and only if (by ( Axiom 5 ) LR, ( Axiom 2 ) LR, ( Axiom 3 ) LR ) 

insert[l, insert[3, {max[—4, 2.4], mzn[2.4, —4]) = (3, 2.4, 1, —4) 

if and only if (by ( Axiom 5 ) LR, ( Axiom 5 ) LR, ( Axiom 2 ) LR, ( Axiom 3 ) 
LR, ( Axiom 3 ) LR, ( Axiom 5 ) LR, ( Axiom 5 ) LR, ( Axiom 5 ) LR, 
( Axiom 2 ) LR, ( Axiom 3 ) LR, ( Axiom 3 ) LR, ( Axiom 3 ) LR ) 

{max[max[max[—4:, 2.4], 3], 1], moa:[maa;[TOin[2.4, —4], 

mzn[3, max[—4, 2.4]]], mm[l, moa:[max[— 4, 2.4], 3]]], 

moa:[mm[mzn[3, max[—4, 2.4]], mzn[2.4, —4]], 

min[min[l, max[max[—4, 2.4], 3]], max[min[2A, —4], 

mm[3, max[—4, 2A]]]]],rnin[rnin[min[l, maa;[maa:[— 4, 2.4], 3]], 

moa:[mm[2.4, — 4], mzn[3, max[— 4, 2.4]]]], TOzrz[mzn[3, max[—4:, 2.4]], 

mm[2.4, -4]]]) = (3,2.4, 1,-4) 

if and only if (by the built-in simplification/decomposition) 

(3,2.4,l,-4) = (3,2.4, 1,-4) 

which, by reflexivity of equality, concludes the proof. □ 



Example ^ (Combinatory logic). This is an example of a problem in applicative 
higher order form. The strong fixpoint property holds for the set consisting of 
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the combinators B and W only® . The prover uses Warren’s method to translate 
the problem into first order form, proves it with unfailing completion procedure 
and shows the output again in the higher order form. The proof is given below: 

Prove: 

(Proposition (goal)) strong- fixed-point[fixed-pt] = 

fixed-pt[strong-fixed-point[fixed-pt]] 

We will use the following assumptions, referring to them as axioms: 

(Axiom 1) V (x[y][y] = W[x][y]). 

(Axiom 2) V (S [x] [y] [z] =x[y[z]]). 

x,y,z 

(Axiom 3) i?[lT[W]] [S[bT] [B[B] [i?]]] = strong- fixed-point. 

We need the following propositions: 

(Lemma 1) V (1P[W] [W[i?[i?[a;l]]]] = strong- fixed-point[xl]) 

xl 

Proof. We take all variables arbitrary but fixed. 

TT[lT][lT[i3[i3[a:i]]]] = (by ( Axiom 2 ) RL. ( Axiom 2 ) RL) 

W[W][B[W][B[B][B]][xi]] = Ibv 1 Axiom 2 1 RLl 
B[W[W]][B[W][B[B][B]]][xi] = (by ( Axiom 3) LR) 
strong-fixed-point[xi]. □ 

(Lemma2) V {xl[W[x2][x2]\ = W[W[B[B[xl]]]][x2]) 

xl,x2 

Proof. We take all variables arbitrary but fixed. 

Xi[VT[x 2 ][a; 2 ]] = (by ( Axiom 1 ) RL) 

xi[x 2 [x 2 ][x 2 ]] = (by ( Axiom 2) RL) 

R[R[a:i]][a: 2 ][a; 2 ][a; 2 ] = (by ( Axiom 1) LR) 

W[W[B[B[xM[x2\- □ 

In TPTP this problem is stated in the hrst order form in COL003-12.pr. 
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(Lemma 3) =fixed-pt 



Proof. 

W[W][W[B[B[fixed-pt]]]] = 

W\W[B[B [fixed-pt]\\] [fP [_B [_B [fixed-pt]\\] = 
fixed-pt [PL [ VP [B [fixed-pt]]]] [PL [_B [_B [fixed-pt]]]]] 
fixed-pt [PL [PL] [PL [S [B [fixed-pt]]]]] . 



(by ( Axiom 1 ) RL) 
(by ( Lemma 2 ) RL) 
(by ( Axiom 1 ) LR) 
□ 



(Proposition 1) fixed-pt[strong-fixed-point[fixed-pt]] = strong- fixed-point[fixed-pt]. 



Proof. 

fixed-pt[strong-fixed-point[fixed-pt\] = 
fixed-pt\W\W] \W[B[B[fixed-pt]\\\\ = 
W[W][W[B[B[fixed-pt]]]] = 
strong- fixed-point[fixed-pt] . 

Now, we prove (Proposition (goal)). 



(by ( Lemma 1 ) RL) 
(by ( Lemma 3 ) RL) 
(by Lemma 1 ) LR) 
□ 



(Theorem ) strong-fixed-point[fixed-pt] =fixed-pt[strong-fixed-point[fixed-pt]] 

Proof. 

strong- fixed-point[fixed-pt] = (by (Proposition 1) RL) 

fixed-pt[strong-fixed-point[fixed-pt]] . □ 

6 Performance and Future Development 

From 431 unit equality problems in TPTPv2.4.0 [29] the prover solved 180 (42%) 
within 300 seconds on a Linux PC, Intel Pentium 4, 1.5GHz, 128Mb RAM^°. 
The performance is lower than the one of, for instance, Waldmeister (85%), 
Discount (70%), Fiesta (68%) or CiME [10] (53%), but it should be taken 
into account that Mathematica is fundamentally an interpreter, the prover does 
not have many heuristics and is not tuned for any specific class of problems. It 

This does not include problems proved with some nser interaction (e.g., choosing 
appropriate precedence, ordering, age- weight ratio, etc.), but only those ones proved 
in the autonomous mode. 
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is still at the experimental level, and there is a room to improve in many parts 
of it. Especially, the autonomous mode can be strengthened with a structure 
detection facility, and instance and unification retrievals can be done more effi- 
ciently. Proving with constraints involving sequence variables might be another 
interesting future development. 

Strong sides of the prover are its abilities to handle sequence variables and 
problems in applicative higher form, and to interface Mathematica functions. 
Theorema provides yet another advantage - a convenient, user-friendly inter- 
face, and human-oriented proof presentation tools. 

Acknowledgments 

My thanks go to Prof. Bruno Buchberger and all the Theorema group members. 

References 

1. J. Avenhaus, J. Denzinger, and M. Fuchs. Discount: a system for distributed 
equational deduction. In J. Hsiang, editor, Proceedings of the 6th RTA, volume 
914 of LNCS, pages 397-402, Kaiserslautern, Germany, 1995. Springer. 

2. J. Avenhaus, Th. Hillenbrand, and B. L"ochner. On using ground joinable equa- 
tions in equational theorem proving. J. Symbolic Computation, 2002. To appear. 

3. L. Bachmair, N. Dershowitz, and D. Plaisted. Completion without failure. In 
H. A"it-Kaci and M. Nivat, editors. Resolution of Equations in Algebraic Struc- 
tures, volume 2, pages 1-30. Elsevier Science, 1989. 

4. B. Buchberger. Mathematica as a rewrite language. In T. Ida, A. Ohori, and 
M. Takeichi, editors, Proceedings of the 2nd Fuji Int. Workshop on Functional 
and Logic Programming, pages 1-13, Shonan Village Center, Japan, 1-4 November 
1996. World Scientific. 

5. B. Buchberger. Symbolic computation: Computer algebra and logic. In F. Baader 
and K.U. Schulz, editors, Frontiers of Combining Systems, Applied Logic Series, 
pages 193-220. Kluwer Academic Publishers, 1996. 

6. B. Buchberger. Using Mathematica for doing simple mathematical proofs (invited 
paper). In Proceedings of the jth Mathematica Users’ Conference, pages 80-96, 
Tokyo, Japan, 2 November 1996. Wolfram Media Publishing. 

7. B. Buchberger, C. Dupre, T. Jebelean, F. Kriftner, K. Nakagawa, D. Vasaru, and 
W. Windsteiger. The Theorema project: A progress report. In M. Kerber and 
M. Kohlhase, editors, Proceedings of Calculemus’2000 Conference, pages 98-113, 
St. Andrews, UK, 6-7 August 2000. 

8. R. Biindgen. Combining computer algebra and rule based reasoning. In J. Calmet 
and J. A. Campbell, editors. Integrating Symbolic Mathematical Computation and 
Artificial Intelligence. Proeeedings of AISMC-2, volume 958 of LNCS, pages 209- 
223, Cambridge, UK, 3-5 August 1994. Springer. 

9. J. Christian. Flatterms, discrimination trees, and fast term rewriting. J. Automated 
Reasoning, 10(1):95-113, 1993. 

10. E. Contejean, C. Marche, B. Monate, and X. Urbain. CiME version 2, 2000. 
http : / / cime . Iri . f r/. 

11. J. Denzinger and S. Schulz. Analysis and representation of equational proofs gen- 
erated by a distributed completion based proof system. SEKI-report SR-94-05, 
University of Kaiserslautern, Germany, 1994. 




Equational Prover of Theorema 379 



12. H. Ganzinger, R. Nieuwenhuis, and P. Nivela. Context trees. In R. Gore, A. Leitsch, 
and T. Nipkow, editors, Automated Reasoning. Proceedings of the IJCAR’Ol, vol- 
ume 2083 of LNAI, pages 242-256, Siena, Italy, June 2001. Springer. 

13. J. C. Gonzalez-Moreno. A correctness proof for Warren’s HO into FO translation. 
In D. Sacca, editor, Proc. of the 8th Ralian Conference on Logic Programming 
(GULP’93), pages 569-585, Gizzeria Lido, Italy, June 1993. Mediterranean Press. 

14. P. Graf. Substitutin tree indexing. In J. Hsiang, editor, Proceedings of the 6th RTA, 
volume 914 of LNCS, pages 117-131, Kaiserslautern, Germany, 1995. Springer. 

15. T. Hillenbrand, A. Bnch, R. Vogt, and B. Lochner. Waldmeister - high- 
performance equational dednction. J. Automated Reasoning, 18(2):265-270, 1997. 

16. J.-P. Jouannaud and A. Rubio. The higher order recursive path ordering. In 
Proceedings of the Ifth annual IEEE symposium LICS, Trento, Italy, 1999. 

17. T. Kutsia. Solving and proving in equational theories with sequence variables and 
flexible arity symbols. Technical Report 02-09, PhD Thesis. Research Institute for 
Symbolic Computation, Johannes Kepler University, Linz, Austria, 2002. 

18. T. Kutsia. Theorem proving with sequence variables and flexible arity symbols. In 
M. Baaz and A. Voronkov, editors. Logic in Programming, Artificial Intelligence 
and Reasoning. International Conference LPAR’02, volume 2514 of LNAI, pages 
278-291, Tbilisi, Georgia, 2002. Springer. 

19. T. Kutsia. Unification with sequence variables and flexible arity symbols and its ex- 
tension with pattern-terms. In J. Calmet, B. Benhamou, O. Caprotti, L. Henocque, 
and V. Sorge, editors, Proceedings of Joint AISC’2002 - Calculemus’2002 confer- 
ence, volume 2385 of LNAI, Marseille, France, 1-5 July 2002. Springer. 

20. B. L''ochner and Th. Hillenbrand. A phytography of Waldmeister. AI Commu- 
nications, 15(2,3): 127-133, 2002. 

21. M. Marin. Introducing Sequentica, 2002. http://www.score.is.tsukuba.ac.jp/ 
“mmarin/Sequentica/. 

22. W. W. McCune. Experiments with discrimination-tree indexing and path-indexing 
for term retrieval. J. Automated Reasoning, 9(2): 147-167, 1992. 

23. W. W. McCune. Otter 3.0 reference manual and guide. Technical Report ANL- 
94/6, Argonne National Laboratory, Argonne, US, January 1994. 

24. R. Nieuwenhuis and A. Rubio. Theorem proving with ordering and equality con- 
strained clauses. J. Symbolic Computation, 19:321-351, 1995. 

25. I. V. Ramakrishnan, R. Sekar, and A. Voronkov. Term indexing. In A. Robinson 
and A. Voronkov, editors. Handbook of Automated Reasoning, volume II, pages 
1853-1964. Elsevier Science, 2001. 

26. J. M. Rivero. Data structures and algorithms for automated deduction with equal- 
ity. PhD Thesis. Universitat Politecnica de Catalunya, Barcelona, Spain, 2000. 

27. M. Stickel. A Prolog Technology Theorem Prover: implementation by an extended 
Prolog compiler. J. Automated Reasoning, 4:353-380, 1988. 

28. M. Stickel. The path indexing method for indexing terms. Technical Report 473, 
Artificial Intelligence Center, SRI International, Menlo Park, CA, October 1989. 

29. G. Sutcliffe and C. Suttner. The TPTP Problem Library for Automated Theorem 
Proving, http: //www. cs .miami . edu/~tptp/. 

30. A. Voronkov. The anatomy of Vampire: Implementing bottom-up procedures with 
code trees. J. Automated Reasoning, 15(2):237-265, 1995. 

31. D. H. D. Warren. Higher-order extensions to PROLOG: are they needed? In 
Machine Intelligence, volume 10, pages 441-454. Edinburgh University Press, Ed- 
inburgh, UK, 1982. 

32. S. Wolfram. The Mathematica Book. Cambridge University Press and Wolfram 
Research, Inc., fourth edition, 1999. 




Termination of Simply Typed Term Rewriting 
by Translation and Labelling* 



Takahito Aoto^ and Toshiyuki Yamada^ 



^ Research Institute of Electrical Communication, Tohoku University, Japan 
aotoSnue .riec .tohoku. ac.jp 
^ Faculty of Engineering, Mie University, Japan 
toshiScs . info .mie-u. ac.jp 



Abstract. Simply typed term rewriting proposed by Yamada (RTA 
2001) is a framework of term rewriting allowing higher-order functions. 
In contrast to the usual higher-order term rewriting frameworks, sim- 
ply typed term rewriting dispenses with bound variables. This paper 
presents a method for proving termination of simply typed term rewrit- 
ing systems (STTRSs, for short). We first give a translation of STTRSs 
into many-sorted first-order TRSs and show that termination problem of 
STTRSs is reduced to that of many-sorted first-order TRSs. Next, we in- 
troduce a labelling method which is applied to first-order TRSs obtained 
by the translation to facilitate termination proof of them; our labelling 
employs an extension of semantic labelling where terms are interpreted 
on a many-sorted algebra. 



1 Introduction 

Simply typed term rewriting proposed by Yamada [10] is a simple extension of 
first-order term rewriting. It can deal with higher-order functions. Equational 
specification using higher-order functions, like functional programs, are natu- 
rally expressed in this framework. In contrast to the usual higher-order term 
rewriting frameworks [5,7,9], simply typed term rewriting dispenses with bound 
variables. In this respect, simply typed term rewriting reflects limited higher- 
order features. On the other hand, simply typed term rewriting framework is 
succinct and theoretically much more easier to deal with. 

This paper presents a method for proving termination of simply typed term 
rewriting systems (STTRSs, for short). Termination of STTRSs based on mono- 
tone interpretation has been investigated in [10]. We are concerned here with 
syntactic methods and propose techniques which are more suitable for auto- 
mated termination proof. 

We first give a translation of STTRSs into many-sorted first-order TRSs such 
that the termination of an STTRS is induced from that of the many-sorted first- 
order TRS obtained by this translation. Since a many-sorted first-order TRS is 
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terminating whenever the underlying first-order TRS obtained by omitting the 
sort information is terminating, one can apply any known methods for proving 
termination of ordinary TRSs to infer the termination of STTRSs based on our 
translation. Next, we introduce a labelling method which is applied to first-order 
TRSs obtained by the translation to facilitate termination proof of them. Our 
labelling method is based on semantic labelling proposed by Zantema [11] — 
in fact, it is a particular kind of the semantic labelling over fixed models and 
labels (determined by the signature of STTRSs). However, the original semantic 
labelling method for unsorted TRSs is insufficient for our purpose and thus our 
labelling employs an extension of semantic labelling where terms are interpreted 
on a many-sorted algebra. 

The remainder of the paper is organized as follows: In Section 2, we review 
the basic notions and terminology of simply typed term rewriting. In Section 3, 
we give a translation of STTRSs into many-sorted first-order TRSs such that the 
termination problem of an STTRS is reduced to that of the corresponding many- 
sorted TRS. In Sections 4 and 5, we present a labelling method that facilitates 
termination proof of many-sorted TRSs obtained by our translation. We first 
introduce our labelling method in unsorted setting using the original semantic 
labelling, and examine why the labelling in this setting is not often useful (in 
Section 4). Then the labelling method is improved based on the many-sorted 
version of semantic labelling (in Section 5). 



2 Preliminaries 

In this section, we recall the basic notions and terminology of simply typed term 
rewriting, which were introduced in [10]. We assume the reader to be familiar 
with (first-order) term rewriting [3,4,8]. 

For a set B of basic types, the set of simple types is the smallest set ST(R) such 
that (1) B C ST(R), and (2) ti x • • • xr„ — >■ Tq G ST(R) whenever tq, Ti, . . . , G 
ST(R). Note that our definition allows multiple basic types whereas the original 
one in [10] is based on a single basic type. When clear, simple type is abbreviated 
as type, and ST{B) is written as ST. 

Each constant or variable is associated with its type; the sets of constants 
and variables of type r are denoted by C'^ and V'^ , respectively. C and V stand 
for the sets of all constants and variables, respectively: C = UtsST 
V = UtgST assume that V'^ is countably infinite for any t G ST. 

The set Tst(C'>E)^ of simply typed terms of type t over C,V is defined as 
follows: (1) L\V^ C Tst]^,^)^, and (2) if s G Tst(C, and 

ti G Tst(C') Vy* for alH G {!,..., n} then (s • • • t„) G Tst(C', Vy. The out- 
ermost parenthesis of simply typed terms may be omitted when no confusion 
arises. A simply typed term s has type t (denoted by s'^) when s G Tst(C', Vy. 
It is clear that each simply typed term has a unique type; thus t is also re- 
ferred to as the type of s. The set Tst(C', E) of all simply typed terms is 
UtgST Tst(C', yy, when clear, Tst(C', V) is abbreviated as Tst- The head sym- 
bol of a simply typed term is defined as follows: (1) head(t) = t if t G CUE, 
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and (2) head((s ti - ■ -tn)) = head(s). The set of variables occurring in a term t 
is written as V(t). 

A pair (l,r) of simply typed terms is a simply typed rewrite rule when (1) I 
and r have the same type, (2) head(l) £ C, and (3) V(r) C V(^). A simply typed 
rewrite rule {I, r) will be often written as ? — >■ r. A triple (B, C, i?) consisting of 
a set B of basic types, a set C of constants, and a set R of simply typed rewrite 
rules is called a simply typed term rewriting system (STTRS, for short). 

A substitution is a mapping a : V ^ Tst(C', 1^) that satisfies the following 
conditions: (1) Dom(cr) = {x \ a{x) yf x} is finite; and (2) for each x G Dom(cr), 
X and a(x) have the same type. The homomorphic extension of a to Tst(C'> V) 
is also denoted by a. As usual, a(t) is written as ta. The rewrite relation 
induced by a simply typed term rewriting system TZ= {B,C,R) is the smallest 
relation over Tst(C', V) satisfying the following conditions: (1) la ra for all 
I ^ r £ R and for all substitutions cr, and (2) if s t then (sq • • • s • • • s„) -£ti 
(so • • • t • • • s„) for all sq, . . . , s„. An STTRS TZ is terminating if there is no infinite 
reduction sequences sq si ■ ■ ■. 



Example 1 (simply typed term rewriting). Let TZ = (B,C,R) be an STTRS 
where B = { Nat, List }, C = { : NatxUst^Ust^ 



Nat) X List— ^ List ^(Nat—^Nat) x (Nat—^Nat)—, 

and 

map F [] 
map F (x : xs) 

(FoG) X 

twice F 

Here is a rewrite sequence of TZ: 

map (twice s) (0 : []) -£-]z 



(Nat-i-Nat) s-ATot)— >(Arot— >Afat) | 

[] 

— >■ {F x) : (map F xs) 

-£ F (Gx) 

-£ F o F 



map (s os) (0 : []) 

((s o s) 0) : (map (s os) []) 
(s (s 0)) : (map (s o s) []) 
(s (s 0)):[]. 



3 Translating STTRSs to Many-Sorted TRSs 

The framework of STTRSs can deal with higher-order variables and thus it is 
not within the framework of (usual) first-order term rewriting. However, this 
does not necessarily imply that STTRSs can not be seen as TRSs via suitable 
encoding. In this section, we will see that STTRSs can be encoded into many- 
sorted TRSs. 

First, we define the notion of arity, which will be used to reflect the type 
information of the simply typed terms in our encoding. 

Definition 1 (arity). The set of arities is the smallest set Ai{B) such that 
(1) B Q Ax{B), and (2) if n > 1 and oq, oi, . . . , o„ G Ar(R) then (oi • • • a„ ao) G 
Ar(R). The mapping ar : ST(R) -£ Ar(R) is defined as follows: 

ar(r) = I ^ if r £ B, 

\ (ar(Ti) • • • ar(r„) ar(ro)) if t = Ti x ■■■ x ^ Tq. 
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Arities can denote simple types concisely. For example, am {{Nat — >■ Nat) x 
List — >■ List) = {{Nat Nat)List List). We also employ the following conventions 
for simplicity: 

1. Aat, List, etc. are abbreviated as N , L, etc. when no confusion arises. 

2. (oi • • • a„) is abbreviated as a” when oi = • • • = a„. (Note that this implies 
that {N'^Y differs from A"'; the former denotes {{NN){NN)) while the latter 
is {NNNN).) 

3. Outer most brackets of arities are omitted. (Thus, for example, {{NL)LL) is 
written as {NL)LL.) 

These conventions are illustrated in the following table, which contains some 
examples of arities. 



symbol c G C 


simple type r 


arity arl 


0 


Nat 


A 


s 


Nat — >■ Nat 


A2 




Nat X List — >■ List 


NLL 


map 


{Nat — >■ Nat) x List — >■ List 


N'^LL 


twice 


{Nat — >■ Nat) — >■ {Nat — >■ Nat) 


(A2)2 



We next give a translation from STTRSs to many-sorted TRSs. A many- 
sorted TRS is specified by a triple {S, F, R) where S' is a set of sorts, F a set of 
S-sorted function symbols, and R a set of rewrite rules. 



Definition 2 (translation). We define a translation 0 from simply typed sig- 
nature (terms, STTRSs) to many-sorted signature (terms, many-sorted TRSs, 
respectively) . 



1 . 



2 . 

3. 

4 - 



0{C) = C U { @a I a e MB) \ B } 

where each function symbol in 0{C) is associated with its sort as follows: 
( ar(r) if f e 

( (oi • • • a„ao) X oi X • • • X a„ -)> ao if f = @{ai-a„ao) 



sort(/) = 



, . _ \t ift€CUV 

l@ar(r)(6>(s),6l(ti ),..., 6>(t„)) if t = {s^ ti ■ ■ ■ t^ 

0{R) = { 0{l) 0{r) I l^r&R} 

0{{B,C,R)) = {Ar{B),0{C),0{R)) 



The following table shows examples of symbols and their sorts in a translated 
signature. 



symbol / G 0(C) 
0 
s 

map 

@N^ 



sort sort(/) 

A 

A2 

N"^LL 

N"^ X N ^ N 
NLL X N X L-)- L 



'NLL 
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Example 2 (translation) . Let TZ be an STTRS given in Example 1. Given below 
is the rewrite rules of 0{'R). 

r @]V2LL(m3Pi ^; []) [] 

I @]v 2 iL(map,F,@ArLL(: ,x,xs)) a;), @Af 2 ^^(map, F, xs)) 

I @^2(@(^2)3(o,F, G), a;) @n‘^{F,@n‘^{G,x)) 

@(]V 2)2 (twice, F) — >■ @(^2)3 (o, F, F) 

Theorem 1 (completeness of translation). Let TZ he an STTRS. Then 
0(JZ) is terminating if and only if TZ is terminating. 

Proof. Easy. □ 

Thus, the termination problem of STTRSs is reduced to the termination 
problem of many-sorted TRSs. Clearly, many-sorted TRS is terminating when 
its underlying unsorted TRS obtained by eliminating its sort information is 
terminating. Therefore, for proving termination of an STTRS, any existing proof 
techniques can be applied to the TRS obtained by the translation 0. 

Example 3 (termination of STTRS by translation). Let TZ be the STTRS in 
Example 1. Termination of 0{TZ) is shown, for example, by the lexicographic 
path order (LPO) [6] and thus, TZ is terminating. 



4 Primary Symbol Labelling on Single Sort 



In simply typed term rewriting, the usual expression /(si, . . . ,s„) of terms is 
changed to (/ si • • • s„) so that function variables does not appear as a node of 
tree structure of terms like F(si, . . . , s„) but as a leaf like {F s\ ■ ■ ■ Sn). Sim- 
ilarly, for TRSs of the form 0{TZ), the terms are of the form @a{f,si, . . . , s„). 
Then, contrasted to the usual first-order term formulation, when one tries to 
compare terms using path-orders like RPO, LPO, etc., each leading symbol / is 
no longer compared before its arguments si, . . . , s„, and only application sym- 
bols with type information are compared before their arguments. Since the type 
information of a term is more common information compared to the function 
symbol, path-orders are not effectively applied to TRSs obtained by the trans- 
lation. 



Example 4 (motivation for labelling). Let B = { Nat }, C = { 0^“*, 

I Nat— Nat— ^ Nat) ^Nat—^{Nat —^Nat) \ and. 



f (+ 0) y y 

1 (+ (s x)) y s ((+ x) y) 

I (* 0) y 0 

I (* (s x)) y -)> + ((* x) y) y 



Then 0{TZ) has the following rewrite rules: 
r @]V 2 (@^^ 2 (+, 0 ),j/) — >■ y 

I @Af 2(@^^2 (+, @^2 (s, a;)), y) — >■ @7 v2(s, @Af 2 (@jvjy 2 (+, x), y)) 

I @^2(@^^2(*,0),y) — >■ 0 

\^@i^2{@pfpf2{*,@ff2{s,x)),y) — >■ @ff2{@ff^2{+,@j^2{@pfpf2{*,x),y)),y) 
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The fourth rule can not be made decreasing by LPO at any precedence — this is 
because + and * have the same type (i.e. both Ihs and rhs of the rule have the 
same root symbol @^ 2 ). 

This observation leads us to the idea of labelling application symbols not 
only by types but also head symbols. That is, we label each application symbol 
by the leftmost non-application symbol in its first argument. For example, the 
fourth rule of the TRS above becomes 

@v 2 s(s, x)),y) 

— @jv2*(@jvv2*(*5 x),y)),y) 

and the root symbols of Ihs and rhs of the rule get distinguished. For this purpose, 
semantic labelling [11] seems to be helpful. 

In this section, we define this particular labelling, called primary symbol 
labelling, for first-order TRSs. Our labelling method is obtained from semantic 
labelling by fixing ordered algebra and a labelling specification. It turns out that 
the labelling method obtained from the original semantic labelling is not useful 
in many cases. In the end of the section, we will exhibit by examples why this 
naive approach is unsatisfactory. The labelling method in this section will be 
modified in the next section. 

In semantic labelling, algebra operations are used to determine a label of 
a function symbol. Since our labelling is based on the quasi-model version of 
semantic labelling, the carrier of an algebra for labelling need to be partially 
ordered. Let S he & first-order signature. A weakly monotone S-algehra A = 
{A, >A, {fA}fes) consists of a non-empty carrier set A, a partial order on 
A, and a family {fA}fes of interpretations. Each / G A takes a fixed number 
of arguments and the set of all function symbols in S taking n arguments is 
denoted by Sn- Each constant c G Sq is interpreted as an element c _4 G A and 
each / G (n > 1) is interpreted as an algebra operation /^ : A” — >• A. 
All operations need to be weakly monotone, i.e., if Oi >a h for i = 1, . . . ,n 
then /^(oi, . . . , On) >a fAi^i , . . . , bn)- The result of evaluating a term t in A is 
denoted by |t]_ 4 . The subscript A will be omitted when no confusion occurs. 

We define a particular ordered algebra suitable for our labelling. 

Definition 3 (algebra for primary symbol labelling). Let S be a first- 
order signature and > a partial order on the set Aq of all constant symbols. 
The S-algebra Pri is defined as (Aq, >, {/pri}/ei;) where the interpretation of 
a function symbol f G A„ is defined as follows: 

f (a a \ - I ^ if n = h, 

Observe that /pri is weakly monotone for any partial order >. 



Example 5 (S-algebra PriJ. Let A be the signature of 0{'R,) in Example 4, 
namely, A = { 0, s, -I-, *, @i^ 2 ,@pfpf 2 , . . . } and Aq = { 0, s, -I-, * }. Let > be any 
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partial order on Sq. Terms are evaluated in Pri as follows: |0] = 0, |s] = s, 
|@ 7 V 2 (s, 0 )] = s, |@ 7 VAr 2 (*)@AT 2 (s, 0))] = *, and (*, @^ 2 (s, 0)), 0)] = 

*. Note that head(t) = |0(t)] holds for all simply typed term t without variables. 

Now let us consider labelling for terms and rewrite rules. The set of first- 
order variables is denoted by X . An assignment on A is a function from X to 
A. The result of evaluating a term t in a A-algebra A under an assignment a 
is denoted by or simply |t]c. Let TZ = (S,R) be a first-order TRS. A 

weakly monotone A-algebra A is a quasi-model of TZ if |?]q, > |r]a for all rewrite 
rule I ^ r G R and assignments a on the carrier of A. 

Definition 4 (primary symbol). Let E he a first-order signature, > a partial 
order on the set Eg of constant symbols. For any assignment a on Eq, the 
primary symbol of a first-order term t is defined as |t]pri,a G Eg. 

Example 6 (primary symbol). Let E be the signature of 0{TZ) in Example 4 
and > be any partial order on Eq. Suppose an assignment a satisfies a{F) = 
*. The primary symbol of a term is computed as follows: |@^2 (s,0)]q = s, 
|@AT2(@^jv2(A,@jv2(s,a;)),0)]Q = *. Note that, if the head symbol of a simply 
typed term t is a constant, then it is identical to the primary symbol of 0(t); 
otherwise, the assignment determines the primary symbol of 0{t). 

In our labelling method, every function symbol in a term is labelled by the 
primary symbol of its first argument. 

Definition 5 (primary symbol labelling for terms). Let E be a first-order 
signature and > a partial order on Eq. The set Lab(A) of labelled function 
symbols is defined as 

Lab(A) = EoU{fe\fGEn,n>l,eG Aq} 

where fi has the same arity as f. For each assignment a on Eq, we define the 
labelling function labo, : T{E,X) — >■ T(Lab(A), A) as follows: 

lab (t) = i* if IgEqUX, 

“ l/lti]cGaba(ti),---,laba(t„)) if t = fifi, . . . ,t„),n > 1. 

Example 1 (primary symbol labelling for terms). Let E be the signature of 0{TZ) 
in Example 4. Then, for any assignment a on Eq, we have laba(@jv2(s,0)) = 
@m 2 s{s, 0 ), and laha{@N‘^{@NN^{*,0),x)) = 

Definition 6 (primary symbol labelling for rewrite systems). For any 

TRS {E,R) and any partial order > on Eq, we define 

LabDec((A,R)) = (Lab(A),Lab(R) U Dec(i?)) 

where 

Lab(i?) = { laba(l) — >■ labo,(r) | I ^ r G R, a : X ^ Eq}, 

Dec(i?) = { fi (xi,. ..,x„)^ ft {xi, ...,Xn) I 
/G A„, n>l, l,e GEq, i>l'}. 
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Theorem 2 (soundness of primary symbol labelling). Let TZ = {S,R) 
he a first-order TRS and > a partial order on Sq. If the S-algehra Pri is a 
quasi-model ofTZ and LabDec(7?.) is terminating, then TZ is terminating. 

Proof. We use the quasi-order version of semantic labelling [11]. For all function 
symbols f G S \ take (ifo, >) as the partially ordered set of labels. For the 
mapping tt/ : — >■ Ifo (tt > 1), which determines a label for /, we choose the 

projection to the first argument: = t.\. □ 

Corollary 1 (termination of STTRS by labelling). Let TZ he an STTRS, 
TZ' = {E,R') the unsorted version of 0{TZ), and > a partial order on //Pri 
is a quasi-model of TZ' and LabDec(7^') is terminating, then TZ is terminating. 



As mentioned in the beginning of this section, the naive labelling presented in 
this section is not successfully applied. Let us illustrate why the primary symbol 
labelling defined in this section is ineffective. 

Example 8 (drawback of naive labelling). Consider the STTRS TZ in Example 4. 
The set of constant symbols of 0{TZ) is Aq = { 0,s,-|-,* }. To guarantee that 
Pri is a quasi-model of the unsorted version of 0{TZ), the partial order > on Fio 
should satisfy the following constraints. 

1. -b > 0, s, -b, * from the first rule, and 

2. * > -b from the fourth rule. 

This is impossible because -b > * and * > -b can not be satisfied at the same 
time. Since every rule should be decreasing w.r.t. the interpretation, only very 
restricted partial orders are possible (especially, when collapsing rules are con- 
tained as above), and often the labelling is useless. 



Example 9 (termination of STTRS by labelling). Consider the STTRS TZ in Ex- 
ample 1. Then LabDec(0(7^)) has the following rewrite rules: 



' @N'^LL map (map,F, []) -)> [] 

@JV2LLmap(map, F, @nll xs)) 

@NLL: ( : , @N'^s{F, x), @JV 2 LLmap(map, F, Xs)) 
@JV2LLmap(map, F, @nll xs)) 

@NLL: ( : , @N‘^msp{F, x) , @ LLwapi^ap , F, Xs)) 

@N‘^o{@(N2)3o{o,F,G),x) @n3s{F,@n3s{G,x)) 

@N3o{@(N3)3o{°, F,G),x) — >■ @N3s{F,@N3map{G,x)) 

@N3o{@(N3)3o{°, F,G),x) — >■ @N3s{F,@ff2 .(G,x)) 



{ @(jv2)2twice(twice,F) 



@{N3)3o{°,F,F) 



When labelling rewrite rules, we have to consider all assignments for variables. 
This gives rise to making a large number of labelled rules from a rewrite rule 
containing function variables. 
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However, these drawbacks can be avoided by restricting possibility of la- 
belling by using sort information. To do so, we use the many-sorted version of 
semantic labelling. 

5 Primary Symbol Labelling on Mnltiple Sorts 

In [11], semantic labelling is developed for unsorted TRSs. The many-sorted 
version of semantic labelling is verified exactly in the same way as in the unsorted 
case. In this section, we apply the many-sorted version of semantic labelling to 
improve the labelling method introduced in the previous section. 

Let S' be a set of sorts, S be an S-sorted first-order signature. A weakly 
monotone S-sorted S-algehra A = ({A“}ags, >Aj {fA}fes) consists of a family 
{^“}aes of non-empty carrier sets, a partial order >_4 on A = (J{A“ | a G S}, 
and a family {fAifes of interpretations. Each constant c G A of sort a is 
interpreted as an element ca G A“, and each function symbol f G S of sort 
ai X • • • X a„ — >■ ao is interpreted as an algebra operation /a ■ x • • • x — >• 
A““. Similarly to the unsorted case, the operations need to be weakly monotone. 
Although many-sorted algebras allow pairwise disjoint domains, below we will 
choose carrier sets that overlap each other. In order to deal with such a case 
easily, we use a single partial order >_4 over A. 

Since a simply typed term, with B a set of basic types, is transformed into 
an Ar(H)-sorted term by the translation O, we take Ar(H) as the set of sorts. 
We now verify how to fix carrier sets of many-sorted algebra, motivated by the 
following two observations. 

Observation 1. Constants that may occur as the primary symbol of t is re- 
stricted by the sort oft. 

Example 10 (restricting terms by sort information). Let B = {Nat} and C = 

I QNat I NatxNat—^Nat ^^^^y(NatxNat—^Nat)—^{Nat—^{Nat—^Nat)) TcrillS with, thc 

constant curry appearing as the primary symbol are limited to those having sorts 
N^(NN^), AA^, A^, or A. For example. 



term sort 

curry W{NN^ 

@N^NN^) {curry, -G) (AA^) 

® {NN‘^){®N3(NN‘^) {curry, -G),0) A^ 



@ n‘^{@{nn‘^) {@n3{nn‘^) {curry , -k), 0), 0) A 

This observation leads to the following definition. 

Definition 7 (range-order). T/ie range-order > on the set Ar{B) is the small- 
est partial order such that (oi • • • a„ao) ^ ao- 

Example 11 (range- order). Let B = {Nat, List}. Then A^(AA^) > AA^ > A^ > 
A. Also we have {NN)LL > L. 
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Thus, in contrast with the unsorted case, we can restrict carrier sets based 
on the sort information. We tentatively fix the carrier sets as A°' = { c G \ 
ar(r) > a } for all sorts a G Ar(B). 

The first observation gives rise to unnecessarily large carrier sets (= A'^) 

for basic types r. Because usually most of rewrite rules are of basic types, this 
will impose many restrictions to our choice of the partial order. However, the 
following observation reveals that elements in a carrier set of a basic type need 
not to be distinguished. 



Observation 2. No constant of basic type is used as a label. 



Any constant of basic type, like 0 and [ ] , does not occur as a primary symbol 
in a translated term except for a constant itself, because it does not appear 
at the first argument of an application symbol @a- This means that elements 
of A~^ are not used as labels whenever r is a basic type, and thus there is no 
need to distinguish them. Therefore, we can take the singleton set A'^ = {•} 
for every basic type r. This in particular implies that the rewrite rules of basic 
types do not impose any restriction on the selection of the partial order of the 
many-sorted algebra. 

Now, based on the observations so far, we define a many-sorted algebra. 



Definition 8 (many-sorted algebra for primary symbol labelling). Let 

B be a set of basic types and C a set of constants for simply typed terms. 
Then a many-sorted algebra Pri(i?, C) is a weakly monotone S-sorted E-algebra 
({A“}a6S,>,{/pri(B.C)}/ei:) where 

— S = Ar{B) and E = e{C), 

— • is an element not contained in C and > is a partial order on A = {•}UC', 

— The carrier set A“ of sort a is defined as: 

f {•} if aGB or = 0, 

[ C- otherwise, 

where C-“ = { c G \ ar(r) ^ a }, 

— The interpretation of a function symbol f G E of sort oi x • • • x a„ — >■ uq is 
defined as follows: 







' f 


if n = Q, 




,fpri(B.C)(ai, 


. . . , Ctfi) — ^ 


• 

d 


if n > 1 and 
if n > 1 and 


o o 








otherwise, 




where d is an 


arbitrarily fixed 


element in 


. It 



fp ri(B,c) weakly monotone. 



= {•}, 

yf {•} and A°-^ = {•}, 
is easy to see that every 



Example 12 (many-sorted E-algebra Pri(i?, C)j. Let B = { Nat }, and C = 

^ QNat ^Nat—^Nat _^NatxNat—^Nat ^NatxNat—^Nat y TllCIl A 

A^ = { s }, A^^ = { -b, * }, and A“ = { • } for a ^ { A^, N^ }. The order > can 
be any partial order on A. 
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The set of many-sorted variables is denoted by X. An assignment on A is 
a function a : X ^ A such that x G A“ implies a{x) G A“. The notions of 
interpretation, quasi-model, and the primary symbol of a many-sorted term are 
defined similarly to the unsorted case. 

Example 13 (interpretation). Let B and C be the ones in Example 10, and a be 
any assignment. Then |@jv 2 (s, 0)]a = |@jv3(+, 0, 0)]^ = •. Also, |-l-]a = -k, and 
I@iV3<iVAr2) (curry, -k)]a = l@^NN^){@m{NN^){curry,+),0))ja = curry. Note that 
by definition |0(t)]a = • for all simply typed term t of basic type. 

The set of labels and labelling functions are chosen similarly to the unsorted 
case. 

Definition 9 (primary symbol labelling for terms). Let B be a set of 

basic types and C a set of constants for simply typed terms, and suppose that 
S = Ar{B) and E = 0{C). The set Lab(A) of S -sorted labelled function symbols 
is defined as 

Lab(A) = Aq U {fc \ f G E, sort(/) = Oi x • • • x a„ — >■ Og, n > 1, £ G A“^} 

where each fi has the same sort as f. The labelling function is defined in the 
same way as the unsorted case. 



Definition 10 (primary symbol labelling for rewrite systems). Let B be 

a set of basic types and C a set of constants for simply typed terms, and suppose 
that S = At{B) and E = 0(C). For any many-sorted TRS (S,E,R), define 

LabI)ec({S,E,R)) = (5',Lab(A),Lab(i?) UDec(i?)) 



where Lab(i?) and Dec(i?) are defined in the same way as unsorted case. 
Theorem 3 (soundness of primary symbol labelling). Let TZ = (B,C,R) 
be an STTRS, and > be a partial order on C U {•}. Lf the many-sorted algebra 
Pri(B, C) is a quasi-model of 0(TZ) and LabDec(6>(7?.)) is terminating then 
0{TZ) is terminating. 



Proof. We use the many-sorted version of semantic labelling. The partially or- 
dered set of labels £/ = (A/, >) of labels for each f G E of sort oi x • • • x a„ — >■ 
do (n> 1) consists of Lf = and the partial order > given by the restriction 
of >A on Take the labelling function irp : A°-^ x • • • x A“" Lf for each 
f G E of sort oi X • • • X a„ — >■ oq (n > 1) is defined as: T^f(£i, . ■ . ,£n) = £i- LI 



Example 1) (termination of STTRS by labelling). Let TZ = (B,C,R) be an 
STTRS where B = {Nat} and (7= ^NatxNat^Nat^ 

^^j^^^y(NatxNat^Nat)^{Nat^{Nat^Nat)) ^^^Nat—^{Nat—^Nat) >(Wat— | 

and 



R = 



' + 0y 

+ (s x) y 
* 0 y 

< * (s x) y 

((curry F) x) y 

add 

mult 

\ 



y 

s (-G X y) 

0 

+ y (* X y) 
F X y 

curry + 
curry * 
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Note that one can not prove termination of 0{TV) by LPO. 

Since the first five rules are of basic type, both sides evaluate to • in the 
algebra. Hence, in order to fix the partial order, we only need to focus on the 
last two rules, which are of non-basic types. Based on the interpretations of the 
both hand sides, we take the smallest partial order satisfying add > curry and 
mult > curry, by which the many-sorted algebra Pri{B,C) is a quasi-model of 
0{TZ). Then LabDec(0(7?.)) has the following rewrite rules: 

@w3+(+,0,y) — >■ y 

@M3+{+,@ms{^,x),y) @jv2s(s, @w3+(-b,x,y)) 

@AT3*(*,0,y) — >■ 0 

@N3*{*,@N3s{^,x),y) @jv3+(+,2/,@jv3*(*,a;,2/)) 

@W2curry(@JViV2curry(@JV3<JVJV2)curry(curry,T’),a;),1/) -)> @N3+{F,X,y) 

^ @jV2(-Lirry(@jVA:'3curry(@JV3(jV7V3)curry(^Lirry, T"), x), y) V @jy3^ (T", X, 

add @jv3<]vv2)curry(curry, -b) 

mult @jv3<]vv3)curry(curry, *) 

®N33m{FjX) — >■ 

@N3n^»\t{F,x) @N3cuny{F,x) 

^ (T", x) y ^NN’^curryi.F^ X^ 

^ ^ NN3mu\t(.F^ X^ y ^ jVA/'^curry (-^? ^) 

The last four rules of LabDec(6>(7?.)) are required, since the last two rules of TZ 
have non-basic type. In contrast to 0{TZ), termination of LabDec(6>(7^)) can be 
shown by LPO. Thus, by Theorem 3, TZ is terminating. Note that = 

{curry}, = (curry, add, mult}, = (curry, add, mult, s}, A^^ = {-b, *}, 

and = {•} for any a ^ { N^(NN^), NN‘^,N^, }. 

Corollary 2 (soundness of primary symbol labelling). LetTZ be an STTRS 
such that all rules are of basic types. Then, z/Lab(0(7?.)) is terminating then TZ 
is terminating. 

Proof. Take the discrete order as the partial order > on the many-sorted algebra 
Pri(H,C). □ 

Example 15 (termination of STTRS by labelling). Let STTRS TZ be the one in 
Example 4. Then Lab(6?(7?.)) has the following rewrite rules: 

@y/- 2 _|_(@^^ 2 _|_(-b, 0), y) — >■ y 

®N3+{@NN3+i.F,@N3s{^^x)),y) — >■ @]v2s(s, @jv2+(@vw2+(+,a;),2/)) 

@jy2*(@jVJV3*(*) 0), j/) — >■ 0 

@JV2*(@JVJV3*(*, @w2s(s, x)), y) 

— >■ @jv2+(@Afjv3-i-(+) @Af 2 *(@ArAr 2 *(*, x),y)),y) 

Termination of Lab(0(7^)) can be shown by LPO and therefore TZ is terminating 
by Theorem 2. 

Example 16 (termination of STTRS by labelling). Let TZ = (B,C,R) be an 
STTRS where B = {Nat, Bool, List}, C={ 0^“‘, true^°°', false^°°', 

g^NatxNat^Bool ^^Natx Nat^Bool j-jList . Natx List^ List Nat ^ Bool) X Nat 
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X List— ^ List ^■^^^^^^^^Boolx{NatxNat^Bool)xNatxList —>-List p|jgp| 



Nat X List— ¥ List 



low 



Nat 



X List— ¥ List 



, append 



List X List— ¥ List 



qsort 



List— ¥ List 



}, and 



I' gt 0 a; 

gt (s cc) 0 — ^ 

gt (s x) (s y) -> 

le 0 a; 

le (s x) 0 — >■ 

le (s x) (s y) — >• 

filter F X nil — >■ 

filter F X {y : ys) — t 

R = ( filtersub true F x {y : ys) — >■ 

filtersub false F x {y : ys) — ^ 
high X xs — ^ 

low X xs — t 

append [] xs — >■ 

append (x : xs) ys — >■ 

qsort [] -)> [] 

qsort (x : xs) 

— >■ append (qsort (low x xs)) (x : (qsort (high x xs))) 



false 

true 

gtxy 

true 

false 

le X y 

nil 

filtersub {F x y) F x {y : ys) 

y : (filter F x ys) 

filter F X ys 

filter gt X xs 

filter le x xs 

xs 

X : (append xs ys) 



Using the dependency pair method [2] , the inequality required to show termina- 
tion of Lab(6>(7?.)) is reduced to the following: 



@WWBgt(gt, 0, x) 


> 


false 


@WWSgt(gt, @Af 25 (s, x), 0) 


> 


true 


@wwsgt(gt, @w 2 s(s, x), @a, 23 (s, y)) 


> 


@wwBgt(gt, X, y) 


@WWSIe(le, 0,x) 


> 


true 


@NNB leO^J @W2 s(s, 3^), 0) 


> 


false 


@NNB le(le, @at2s(s, x), @at 2 s(s, y)) 


> 


@wwsie(le,x,y) 


{] 


> 


[] 


@NLL-.{- ,y,ys) 


> 


@NLL-.{ - ,y,ys) 


@NLL-X- ,y,ys) 


> 


ys 


@WLLhigh(high,x,xs) 


> 


XS 


@NLL |ow(l0W,X,Xs) 


> 


XS 


@L3append(append, [],xs) 


> 


xs 


@L3append(append,@wLi.(: ,x,xs),ys) > 


@AfLL: (: ,a;,@L33ppend(append, 


@L2q5ort(qsort, []) 


> 


[] 


@L2qsort(qSOrt,@jVLL:( : , X, Xs)) 

> @L3append (append, @L 2 qsort(qsort, @WLLIow(1ow, X, xs)), 


^NLL cons(eOnS, X 


, @^2q5Q,.^ 


.(qsort, @]VLLhigh(high, X, xs)))) 


AATjvBgt(gt, @jv 2 s(s,a;), @Af 25 (s,y)) 


> 


AjvjVBgt(gt, X, y) 


AjvJVB le(le, @jv 2 s(s, x), @jv 2 s(s, y)) 


> 


^NNB le(le, X, y) 


@WLL:(:,y, ys) 


> 


ys 


A append (append , @ ATLL : ( ■ 5 


xs),ys) 


> A^Sgppend (append , xs, ys) 


@iVLL:(: ,a;,xs) 




> @WLLIow(l0W, X,XS) 


@iVLL:(: ,a;,xs) 




> @wLLhigh(high,x,xs) 
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where denotes the tuple symbol for @a£- The following argument filtering is 
used: tt{@{nnb)nll) = '^{^{nnb)nll) = 4, t£{@b{nnb)nll) = t^{^b{nnb)nll) = 
5, 7r(Ai2q5ort) = 2. These inequalities are satisfied by LPO based on the following 
precedence: gt > false, gt > true, le > false, le > true, @L^qson > ©L^append > 

@NLL: > @JVLLIow, ©L^qsort > @L^Bppeud > @NLL:, qSOrt > append > : > low, 

qsort > append > : , @nll-. > @NLLh\gh, ■ > high. Thus 0{TZ) is terminating and 
therefore TZ is terminating by Theorem 2. 

6 Concluding Remarks 

In this paper, we have presented a method to prove termination of simply typed 
term rewriting systems. 

We have defined a translation 0 from STTRSs TZ to many-sorted first-order 
TRSs 0{TZ), and showed that 0{TZ) is terminating if and only if TZ is termi- 
nating. The translation 0 is easily automated and thus termination of STTRSs 
can be proved automatically using any known automated methods for proving 
termination of first-order term rewriting systems. 

We further presented a labelling method that facilitates termination proof of 
many-sorted TRSs obtained by our translation. For this, we use the many-sorted 
extension of semantic labelling method which is originally proved for unsorted 
term rewriting. We defined the labelling LabDec and Lab of many-sorted TRSs 
such that Lab(0(7?.)) C LabDec(0(7?.)), and showed that any STTRS TZ is ter- 
minating whenever LabDec(6?(7?.)) is terminating and that any STTRS TZ whose 
all rules are of basic type is terminating whenever Lab(0(7?.)) is terminating. 

We have demonstrated that useful labelling by primary symbol is not im- 
plemented using unsorted semantic labelling and proposed the one using many- 
sorted semantic labelling. However, there is another direction to overcome this 
defect — that is to restrict labels so that there are just two kinds of labels p and 
n that distinguish defined primary symbols and constructor primary symbols. 
Then the soundness theorem like Theorem 3 is proved using the original seman- 
tic labelling method and that like Theorem 2 is proved by slightly modifying the 
original semantic labelling proof [1]. 

Finally we also note that another termination proof technique for STTRSs, 
called monotone interpretation, has been proposed in [10]. Unlike our method, 
the one in [10] is a semantical method and we think our techniques are more 
suitable for automated termination proof. 
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Abstract. We study the termination of rewriting modulo a set of equa- 
tions in the Calculus of Algebraic Constructions, an extension of the Cal- 
culus of Constructions with functions and predicates dehned by higher- 
order rewrite rules. In a previous work, we dehned general syntactic 
conditions based on the notion of computability closure for ensuring the 
termination of the combination of rewriting and /3-reduction. 

Here, we show that this result is preserved when considering rewriting 
modulo a set of equations if the equivalence classes generated by these 
equations are hnite, the equations are linear and satisfy general syntac- 
tic conditions also based on the notion of computability closure. This 
includes equations like associativity and commutativity and provides an 
original treatment of termination modulo equations. 



1 Introduction 

The Calculus of Algebraic Constructions (CAC) [2,3] is an extension of the Cal- 
culus of Constructions (CC) [9] with functions and predicates defined by (higher- 
order) rewrite rules. CC embodies in the same formalism Girard’s polymorphic 
A-calculus and De Bruijn’s dependent types, which allows one to formalize propo- 
sitions and proofs of (impredicative) higher-order logic. In addition, CAC allows 
functions and predicates to be defined by any set of (higher-order) rewrite rules. 
And, in contrast with (first-order) Natural Deduction Modulo [13], proofs are 
part of the terms. 

Very general conditions are studied in [2,4] for preserving the decidability 
of type-checking and the logical consistency of such a system. But these condi- 
tions do not take into account rewriting modulo equations like associativity and 
commutativity (AC), which would be very useful in proof assistants like Coq 
[22] since it increases automation and decreases the size of proofs. We already 
used the rewriting engine of CiME [8], which allows rewriting modulo AC, for 
a prototype implementation of CAC, and now work on a new version of Coq 
including rewriting modulo AC. In this paper, we extend the conditions given in 
[2] to deal with rewriting modulo equations. 

2 The Calculus of Algebraic Constructions 

We assume the reader familiar with typed A-calculi [1] and rewriting [11]. The 
Calculus of Algebraic Constructions (CAC) [2] simply extends CC by considering 
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a set T of symbols and a set TZ of rewrite rules. The terms of CAC are: 

t,u € T ::= s I x I / I [x : t]u \ tu \ {x : t)u 

where s G 5 = {*, □} is a sort, x € X a, variable, f € !F, [x \ t]u an abstraction, 
tu an application, and {x : t)u a dependent product, written t ^ u if x does not 
freely occur in u. 

The sort * denotes the universe of types and propositions, and the sort □ 
denotes the universe of predicate types (also called kinds). For instance, the type 
nat of natural numbers is of type *, * itself is of type □ and nat *, the type 
of predicates over nat, is of type □. 

We use bold face letters for denoting sequences of terms. For instance, t is 
the sequence t\ . . .tn where n = \t\ is the length of t, and (x : T)U is the term 
(xi : Ti) . . . {xn ■ Tn)U (we implicitly assume that \x\ = |T| = n). 

We denote by FV(t) the set of free variables of t, by dom(6<) the domain of 
a substitution 9, by Pos(t) the set of Dewey’s positions of t, by t\p the subterm 
of t at position p, and by t[u]p the replacement of t\p by u. 

Every symbol / is equipped with a sort s/, an arity ap and a type t/ which 
may be any closed term of the form {x : T)U with |a;| = ap. The terms only 
built from variables and applications of the form ft with |t| = a/ are algebraic. 

A typing environment F is an ordered list of type declarations x : T. If f is 
a symbol of type Tf = {x : T)U, we denote by ly the environment x : T. 

A rule for typing symbols is added to the typing rules of CC: 

(symb) 

A rewrite rule is a pair I — >■ r such that (1) Hs algebraic, (2) I is not a variable, 
and (3) FV(r) C FV(/). Only I has to be algebraic: r may contain applications, 
abstractions and products. This is a particular case of Combinatory Reduction 
System (CRS) [18] which does not need higher-order pattern-matching. 

If Q Q T, TZg is the set of rules whose left-hand side is headed by a symbol 
in C/. A symbol / with = 0 is constant, otherwise it is (partially) defined. 

A rule is left-linear (resp. right-linear) if no variable occurs more than once 
in the left-hand side (resp. right-hand side). A rule is linear if it is both left- 
linear and right-linear. A rule is non-duplicating if no variable occurs more in 
the right-hand side than in the left-hand side. 

A term t TZ-rewrites to a term t' , written t t' , if there exists a position 
p in t, a rule I ^ r G TZ and a substitution cr such that t\p = la and t' = t[ra]p. 
A term t (3-rewrites to a term t' , written t — t' , if there exists a position p in 
t such that t\p = {[x : U]v u) and t' = t[v{x i— rtjjp. Given a relation -G and a 
term t, let — >-(t) = {f gT \ t ^ t'}. 

Finally, in CAC, /17^-equivalent types are identified. More precisely, in the 
type conversion rule of CC, is replaced by ipn' 

r^t:T T ifsnT' F V- T' ■. s 



(conv) 



Fi-t-.T' 
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where u v iff there exists a term w such that u w and v ~^*0TZ 
being the reflexive and transitive closure of — U This rule means that 
any term t of type T in the environment F is also of type T' if T and T' have 
a common reduct (and T' is of type some sort s). For instance, if t is a proof of 
P{2 + 2) then t is also a proof of -P(4) if TZ contains the following rules: 

X + 0 — >■ X 

X + (s y) — >■ s {x + y) 

This decreases the size of proofs and increases automation as well. 

A substitution 9 preserves typing from F to A, written 9 : F ^ A, ii, for all 
X £ dom(T), A h x9 : xF9, where xF is the type associated to x in F. Type- 
preserving substitutions enjoy the following important property: if T h t : T and 
9 : F^ A then A\~t9 : T9. 

For ensuring the subject reduction property (preservation of typing under 
reduction), every rule fl^ris equipped with an environment F and a substi- 
tution p such that,^ if / : (x : T)U and 7 = {x i} then F h flp : U^p and 
F \- r \ Ujp. The substitution p allows to eliminate non-linearities only due to 
typing and thus makes rewriting more efficient and confluence easier to prove. 
For instance, the concatenation on polymorphic lists (type list : * * with 

constructors nil : {A : F)listA and cons : {A : F)A listA listA) of type 
{A : FjlistA listA listA can be defined by: 

app A {nil A') V — >• I' 

app A {cons A' x 1) I' — >■ cons A x {app Axil') 
app A {app A' I I') I" app A I {app A V I") 

with F = A -k,x A,l listA, I' : listA and p = {A' 1— A}. For instance, 
app A {nil A') is not typable in F (since A' ^ dom(T)) but becomes typable 
if we apply p. This does not matter since, if an instance app Au {nil A'a) is 
typable then Aa is convertible to A'a. 



3 Rewriting Modulo 

Now, we assume given a set £ of equations I = r which will be seen as a set of 
symmetric rules, that is, a set such that l^r££iAr^l££. The conditions 
on rules imply that, ii I = r £ £, then (1) both I and r are algebraic, (2) both I 
and r are headed by a function symbol, (3) I and r have the same (free) variables. 
Examples of equations are: 

X + y = y + X (commutativity of -I-) 

X + {y + z) = {x + y) + z (associativity of -I-) 

X X {y + z) = {x X y) + {x X z) (distributivity of x) 
x + Q = X (neutrality of 0) 



^ Other conditions are necessary that we do not detail here. 
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add A X {add A' y S) = add A y {add A' x S) 
union A S S' = union A S' S 
union A S {union A' S' S") = union A {union A! S S') S" 

where set : * *, empty : {A : -k)setA, add : {A : -k)A setA setA and 

union : {A : -k)setA setA setA formalize finite sets of elements of type 
A. Except for distributivity which is not linear, and the equation x + Q = x 
whose equivalence classes are infinite, all the other equations will satisfy our 
strong normalization conditions. Note however that distributivity and neutrality 
can always be used as rules when oriented from left to right. Hence, the word 
problem for abelian groups or abelian rings for instance can be decided by using 
normalized rewriting [19]. 

On the other hand, the following expressions are not equations since left and 
right-hand sides have distinct sets of variables: 

X X 0 = 0 (Ois absorbing for x) 

X + {—x) = 0 (inverse) 

Let ~ be the reflexive and transitive closure of ->-s (~ is an equivalence 
relation since S is symmetric). We are now interested in the termination of 
► =— >-/3 U >- 7 ?, (instead of U before). In the following, we may denote 

by E, by TZ and by (3. 

In order to preserve all the basic properties of the calculus, we do not change 
the shape of the relation used in the type conversion rule (conv): two types T 
and T' are convertible if T | T' with — U — U — >■£. But this raises the 
question of how to check this condition, knowing that — >■ may be not terminating. 
We study this problem in Section 6. 

4 Conditions of Strong Normalization 

In the strong normalization conditions, we distinguish between first-order sym- 
bols (set tFi) and higher-order symbols (set To precisely define what is a 
first-order symbol, we need a little definition before. We say that a constant 
predicate symbol is primitive if it is not polymorphic and if its constructors have 
no functional arguments. This includes in particular any first-order data type 
(natural numbers, lists of natural numbers, etc.). Now, a symbol / is first-order 
if it is a predicate symbol of maximal arityfi or if it is a function symbol whose 
output type is a primitive predicate symbol. Any other symbol is higher-order. 
Let TZc = and E^, = Ej:^ for l G {1,w}. 

Since the pioneer works on the combination of A-calculus and first-order 
rewriting [7,20], it is well known that the addition at the object level of a 
strongly normalizing first-order rewrite system preserves strong normalization. 
This comes from the fact that first-order rewriting cannot create /3-redexes. On 

^ A predicate symbol / of type {x : T)U is of maximal arity if t/ = *, that is, if the 
elements of type ft are not functions. 
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the other hand, higher-order rewriting can create /3-redexes. This is why we 
have other conditions on higher-order symbols than merely strong normaliza- 
tion. Furthermore, in order for the two systems to be combined without losing 
strong normalization [23] , we also require first-order rules to be non-duplicating 
[21]. Note however that a first-order symbol can always be considered as higher- 
order (but the strong normalization conditions on higher-order symbols may not 
be powerful enough for proving the termination of its defining rules). 

The strong normalization conditions on higher-order rewrite rules are based 
on the notion of computability closure [5]. We are going to use this notion for 
the equations too. 

Typed A-calculi are generally proved strongly normalizing by using Tait and 
Girard’s technique of computability predicates /reducibility candidates [14]. In- 
deed, a direct proof of strong normalization by induction on the structure of 
terms does not work. The idea of Tait, later extended by Girard to the polymor- 
phic A-calculus, is to strengthen the induction hypothesis as follows. To every 
type T, one associates a set |T] C SN (set of strongly normalizing terms), and 
proves that every term of type T is computable, that is, belongs to |T]. 

Now, if we extend such a calculus with rewriting, for preserving strong nor- 
malization, a rewrite rule has to preserve computability. The computability clo- 
sure of a term t is a set of terms that are computable whenever t itself is com- 
putable. So, if the right-hand side r of a rule fl^r belongs to the computability 
closure of I, a condition called the General Schema, then r is computable when- 
ever the terms in I are computable. 

Formally, the computability closure for a rule (/Z — >■ r, F, p) with Tf = (x : 
T)U and 7 = {a; Z} is the set of terms t such that the judgment l-£ t : Ujp can 
be deduced from the rules of Figure 1, where the variables of dom(T) are con- 
sidered as symbols (tx = xF) , >j: is a well-founded quasi-ordering (precedence) 
on symbols, with x / for all x G dom(T), >/ is the multiset or lexicographic 
extension^ of the subterm ordering^ >, and T T' iff T and T' have a common 
reduct by U where 7^5 = {gu v \ g <jr /}. 

In addition, every variable x G dom(T) is required to be accessible in some 
li, that is, xcr is computable whenever lia is computable. The arguments of a 
constructor-headed term are always accessible. For a function-headed term ft 
with f : {x : T)Cv and C constant, only the tfs such that C occurs positively 
in Ti are accessible (X occurs positively in Y ^ X and negatively in X ^ Y). 

The relation hj, is similar to the typing relation h of GAG except that symbol 
applications are restricted to symbols smaller than /, or to arguments smaller 
than Z in the case of an application of a symbol equivalent to /. So, verifying 
that a rule satisfies the General Schema amounts to check whether r has type 
Ujp with the previous restrictions on symbol applications. It therefore has the 
same complexity. 



® Or a simple combination thereof, depending on the status of /. 

^ We use a more powerful ordering for dealing with recursive definitions on types 
whose constructors have functional arguments. 




400 



Frederic Blanqui 



(ax) 

(symb<) 

(symb") 

(var) 

(weak) 



hi * : □ 

\~C Tg : Sg 

hg-Tg 



{g <r f ) 



b: g • Sg ^ c ^ 

A b gyS : VS 



(Tg = {y : U)V, 
g=T f and yS <; 1) 



Ah T : s 
A,x : T h X : T 



{x ^ dom(Z\)) 



Z\bF:s Ah u : U 
A, X : T h u : U 



{x ^ dom(Z\)) 



(abs) 



A,x:Uhv:V Ah{x:U)V:s 
Ah[x: U]v : {x : U)V 



(app) 



Aht:(x: U)V Ahu:U 
Ah tu : V {x ^ u\ 



(prod) 

(conv) 



A,x-.UhV :s 
Ah{x: U)V : s 

Aht:T AhT : s AhT' :s 
Zl b i : T' 



{TifT') 



Fig. 1. Computability closure for {fl — >■ r, F, p) 



Now, how the computability closure can help us in dealing with rewriting 
modulo equations? When one tries to prove that every term is computable, in the 
case of a term ft, it is sufficient to prove that every reduct of ft is computable. 
In the case of a head-reduct fla — >■ ra, this follows from the fact that r belongs 
to the computability closure of I since, by induction hypothesis, the terms in la 
are computable. 

Now, with rewriting modulo, a 7?.-step can be preceded by F-steps: ft — 
gu t' ■ To apply the previous method with gu, we must prove that the terms 
in u are computable. This can be achieved by assuming that the equations also 
satisfy the General Schema in the following sense: an equation {fl — >■ gm,r,p) 
with Tg = (x : T)U and 7 = {a; i— m} satisfies the General Schema if, for all 
i, h rrii : Tijp, that is, the terms in m belong to the computability closure of 1. 
By symmetry, the terms in I belong to the computability closure of m. 

One can easily check that this condition is satisfied by commutativity (what- 
ever the type of + is) and associativity (if both y and 2; are accessible in y + z): 

X + y = y + X 
X + {y + z) = {x + y) + z 
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For commutativity, this is immediate and does not depend on the type of +: 
both y and x belong to the computability closure of x and y. 

For associativity, we must prove that both x + y and 2; belong to the com- 
putability closure CC of x and y+z.lf we assume that both y and z are accessible 
in y + z (which is the case for instance if -I- : nat nat not), then z belongs 
to CC and, by using a multiset status for comparing the arguments oi +, x + y 
belongs to CC too since {x, y} Omul {x, y + z}. 

We now give all the strong normalization conditions. 

Theorem 1 (Strong normalization of f 3 U^TZ). Let be the reflexive and 
transitive closure of Si. The relation ► =— >-/3 U >-7?, is strongly normalizing if 

the following conditions adapted from [ 2 ] are satisfied: 

• —>■=—>■ /3 U U — >■£ is confluent^ 

• the rules ofTZi are non- duplicating TZ\ CMFui = Si (liFui = 0 ^ and ^i^tzi is 
strongly normalizing on first-order algebraic terms, 

• the rules oflZ^, satisfy the General Schema and are safe,® 

• rules on predicate symbols have no critical pair, satisfy the General Schema^ 
and are small, 

and if the following new conditions are satisfied too: 

• there is no equation on predicate symbols, 

• S is linear, 

• the equivalence classes modulo ~ are finite, 

• every rule {fl — >■ gm, T, p) G S satisfies the General Schema in the following 

sense: if Tg = {x : T)U and 7 = {a; i—7> m} then, for all i, l-£ : Tiyp. 

Not allowing equations on predicate symbols is an important limitation. How- 
ever, one cannot have equations on connectors if one wants to preserve the 
Curry-Howard isomorphism. For instance, with commutativity on A, one looses 
subject reduction. Take A : * *, pair : (A : *){B : *)A ^ B ^ A/\B and 

7Ti : (T : T){B : ■k)A A B A defined hy tti A B {pair A' B' a b) ^ a. Then, 
TTi B A {pair A B a b) is of type B but a is not. 

5 Strong Normalization Proof 

The strong normalization proof follows the one given in [6] very closely. We only 
give the definitions and lemmas that must be modified. As previously explained, 
the strong normalization is obtained by defining an interpretation |T] C SAf for 
every type T, and by proving that every term of type T belongs to |T]. 

® If there are type- level rewrite rules. 

® If there are higher-order rules. 

^ First-order rules/equations only contain first-order symbols. 

® No pattern-matching on predicates. 

® There are other possibilities. See [2] for more details. 

A rule fl^ris small if every predicate variable in r is equal to one of the Ids. 

The proof given in [6] is an important simplification of the one given in [2]. 
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More precisely, for every type T, we define the set TZt of the possible inter- 
pretations, or candidates, for the terms of type T. TZ(^x:U)v is the set of func- 
tions R from T X TZjj to TZy that are stable by reduction: if m — >• u' then 
R{u,S) = R{u',S). A term t is neutral if it is distinct from an abstraction or a 
constructor. 7?.* is the set of sets R CT such that: 

(Rl) Strong normalization: R C SAf. 

(R2) Stability by reduction: ii t € R then — >-(t) C R. 

(R3) Neutral terms: if t is neutral and ►(f) C i? then t G R. 

Candidates form a complete lattice. A candidate assignment ^ is a function 
which associates a candidate to every variable. Given an interpretation I for 
predicate symbols, a candidate assignment ^ and a substitution 0, the interpre- 
tation of a type T, written |T]| is defined in [4]. The elements of |T]|g are 
said computable. A pair (^, 6) is R -valid, written ^,0 \= R, if, for all x G dom(T), 
G TZxr and x9 G 

Then, strong normalization is obtained by defining an interpretation If G 
TZxf for every predicate symbol /, and by proving that every symbol / is com- 
putable, that is, / G |t/]. If Tf = {x : T)U, it amounts to check that, for all 
Rf-valid pair {^,0), fx9 G For the interpretation, we keep the one for 

constant predicate symbols given in [6] but slightly modify the interpretation of 
defined predicate symbols for taking into account the new reduction relation. 

Although we do not change the interpretation of constant predicate symbols, 
we must check that the interpretation of primitive predicate symbols is still 
SAf (hence that, for primitive predicate symbols, computability is equivalent to 
strong normalization), since this property is used for proving that a terminating 
and non-duplicating (if there are higher-order rewrite rules) first-order rewrite 
system preserves strong normalization. The verification of the former property 
is easy. We now prove the latter. 

Lemma 2. [16] If the ^-classes are finite then is strongly normalizing. 

Proof. We prove that (~ >)” C ~ by induction on n. For n = 0, this is 
immediate. For n-\-l, (~>)"+^ C □ 

Lemma 3. [12] If t G SAf {(3) and t -GiZi u then /3{t) — P{u). 

Proof. Dougherty proves this result in [12] (Proposition 4.6 and Theorem 4.7) 
for the untyped A-calculus. The proof can clearly be extended to the Calculus 
of Algebraic Constructions. We inductively define ^ as follows: 

• a ^ a; 

• if / — >■ r G TZi and a ^ 9 then la r9; 

• if a ^ 6 and c ^ d then ac bd, [x : a]c ^ [x : b]d and {x : a)c (x : b)d; 

• if a ^ 6 then fa -» fb. 

We now prove that, ift^pt' and t ^ u then there exist t” and u' such that 
t' t” v! and u u' by induction oat^u. 
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• u = t. Immediate. 

• t = la, u = r9 and a ^ 6. Since left-hand sides of rules are algebraic, the 

/3-reduction must take place in an occurrence of a variable x G FV(/). Let v' 
be the /3-reduct of xa. By induction hypothesis, there exists v" and w such 
that v' — v” w and x9 — w. Let a” such that xa” = v" and ya" = ya 
\i y ^ X, and 9' such that x9' = w and y9' = y9 ii y ^ x. We have a" 9'. 

By /3-reducing all the instances of the occurrences of x in / to v”, we get 

t' — la” r9' and, by reducing all the instances of the occurrences of x in 
r to w, we get u = r9 — r9' . 

• Assume that t = [x : a]c k, u = v I, [x : a]c ^ v, k ^ I and t' = c{x i— fc}. 

Then, u = [x : b]d with a ^ b and c ^ d. Therefore, c{x i— fc} ^ d{x i— >■ /} 

and u -Gfj d{x i— >■ /}. 

Assume now that t = ac, u = bd, a ^ b, c ^ d and a -Gp a'. The other 
cases are similar. By induction hypothesis, there exist a” and b' such that 
a' a” b' and b — b' . Therefore, a'c — a”c b'd and bd b'd. 

• t = fa, u = fb and a b. Then, there is i such that t' = fa' , Ui a'^ and 
Uj = a'j if j ^ i. By induction hypothesis, there exists a'[ and 6' such that 
a' a'l &' and bi — Let a" = aj and &' = bj if j ^ i. Then, a” b' , 
t' = fa' fa” ^ fb' and u = fb fb'. 

Now, since t is /3-strongly normalizable, we can prove the lemma by induction 
on — If t is in /3-normal form then u also is in /3-normal form since TZi- 
reductions preserve /3-normal forms. Hence, /3(t) = t —» u = /3(u). Now, if 
t -Gp t' then there exist t” and u' such that t' — t" u' and u — u' . By 
induction hypothesis, P{t”) P{u'). Therefore, /3(t) ^ /3(u). □ 

Definition 4 (Cap and aliens). Let f be an injection from the classes of 
terms modulo to X. The cap of a term t is the biggest first-order algebraic 
term cap{t) = t[xi]p^ . . . [x„]p„ such that Xi = C(^lpi)- The t\p^ ’s are called the 
aliens oft. We denote by /3(t) the ^-normal form oft, by capj3{t) the cap of j3{f), 
by Capft) (resp. Capj3{t)) the ^i-equivalence class of capff) (resp. cap(3{t)), by 
aliensft) the multiset of the aliens oft, and by Aliensft) the multiset union of 
the (finite) ^-equivalence classes of the aliens oft. 

Theorem 5 (Computability of first-order symbols). If f G and t G 

SAf then ft € SAf. 

Proof. We prove that every ►-reduct t' of t = ft is strongly normalizable. In 
the following, (>a,>b)iex denotes the lexicographic ordering built with >a and 
>b, and >mui denotes the multiset extension of >. 

Case 7 ^ 0. By induction on {Aliens{t),Cap{t)) with ((— >-/ 3 ~ U 
U>~)mui, (— >- 7 ?,i~i)mui)iex as well-founded ordering. It is easy to see that the 
aliens are strongly normalizable for — and since they are so for 
(Lemma 7), >- 7 ?, and (Lemma 2) respectively. 

If t -^j 3 t' then the reduction takes place in an alien v. Let v' be its /3-reduct. 
If v' is not headed by a symbol of then Aliensft) (— >-/ 3 ~)mui Aliens{u). 




404 



Frederic Blanqui 



Otherwise, its cap increases the cap of t' but, since the aliens of t' are then strict 
subterms of v', we have Aliens{t) (— >-/ 3 ~ U>^)mui Aliens{u). 

Assume now that t — u t' . We first look at what happens when t u. 
There are two cases: 

• If the reduction takes place in the cap then this is a .Pi -reduction. Since both 
the left-hand side and the right-hand side of a first-order rule are first-order 
algebraic terms, we have cap{t) cap{u) and, since the rules of £ are linear, 
we have aliens{t) = aliens{u). 

• If the reduction takes place in an alien then cap{t) = cap{u) and aliens{t) 
(-i>£)mui aliens{u). 

So, in both cases, Cap{t) = Cap{u) and Aliens{t) = Aliens{u). Therefore, 
by induction on the number of .P-steps, if t — u then Cap{t) = Cap{u) and 
Aliens{t) = AUens{u). We now look at the 7?.-reduction. There are two cases: 

• If the reduction takes place in the cap then it is a T^i-reduction. Since both 
the left-hand side and the right-hand side of a first-order rule are first-order 
algebraic terms, we have cap{u) cap{t') and, since the rules of TZ\ are 
non-duplicating, we have aliens{u) C aliens{t'). If aliens{u) C aliens{t') 
then Aliens{u) C Aliens{t'). Otherwise, Cap{u) (— >- 7 ?,i~i)mui Cap(t'). 

• If the reduction takes place in an alien then, as in the case of a /3-reduction, 
we have A//ens(t) (— U >~)niui Aliens{u). 

Case TZ^ = 0. Since the tiS are strongly normalizable and no /3-reduction 
can take place at the top of t, t has a /3-normal form. We prove that every ►- 
reduct t' of t is strongly normalizable, by induction on (C apf3{t) , Aliens{t)) with 
mulj U 0 >^)mui)iex as well-founded ordering. 

If t t' then capj3{t) = cap(3{t') and, as seen in the previous case, Aliens{t) 
(— AUens{u). 

Otherwise, t — u t' ■ As seen in the previous case, cap{t) — cap{u) 
and Aliens{t) = Aliens{u). Since /3 and £ commute and £ preserves /3-normal 
forms, we have cap(3{t) — cap(i{u) and thus Cap(}{t) = Capf3{u). We now look 
at the T^-i-reduction. There are two cases: 

• The reduction takes place in the cap. Since both the left-hand side and the 
right-hand side of a first-order rule are first-order algebraic terms, we have 
cap{u) — cap{t') and, since /3-reductions cannot reduce the cap, we have 
capP{u) capf3(t') and thus Cap(3{t) (— >- 7 ?,i~i)nmi Capj3{t'). 

• If the reduction takes place in an alien then Aliens{t) (— >- 7 ?,~)nmi Aliens{u) 

and, after Lemma 3, (i{u) — /3(t')- Therefore, cap(}{u) — cap(i{t') and 
Capf3{u) (-)> 7 ?,~)mui Cap(3{t'). □ 



We now come to the interpretation of defined predicate symbols. Let / be 
a defined predicate of type {x : T)U. We define If{t,S) by induction on t,S 
as follows. If there exists a rule (fl — >■ r, F, p) and a substitution a such that 
t ^ la and la is in ►-normal form, then If{t, S) = |r]| ^ with a = {x t} 
and where Kx is given by smallness. Otherwise, we take the greatest 

element of TZu. 
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We must make sure that the definition does not depend on the choice of the 
rule. Assume that there is another rule {fl' — >■ r',r',p') and a substitution a' 
such that t ~ I'a' in normal form. By confluence and Lemma 10, we have 
la ~ I'a' . Since — >■ is confluent and rules on predicate symbols have no critical 
pair, there exists a" such that a — a" , a' — a" and la" = V a" . Therefore, 
for the same reason, we must have I — I' and r = r' . 

Finally, we check that the interpretation is stable by reduction: if t — >■ t' then, 
since — >■ is confluent, t has a ►-normal form iff t' has a ►-normal form too. 

We now prove the computability of higher-order symbols. 

Theorem 6 (Computability of higher-order symbols). If f G Tf = 

{x : T)U and f,,9 [= Ff then fx9 G 

Proof. The proof follows the one given in [6] except that -G is replaced by ►. 
We examine the different ►-reducts of fx9. If this is a /3-reduction, it must 
take place in one Xi9 and we can conclude by induction hypothesis. Otherwise, 
we have fx9 gu — >-7^ t'. Since the equations satisfy the General Schema, 
the ufs are computable. Now, if the 7?.-reduction takes place in one Ui, we can 
conclude by induction hypothesis. Otherwise, this is a head-7^-reduction and we 
can conclude by correctness of the computability closure. □ 

6 Confluence 

We now study the confluence of — >■ and the decidability of . Let i? be a relation. 
R, R* respectively denote the inverse, the transitive closure, and the reflexive 
and transitive closure of R. Composition is denoted by juxtaposition. 

- i? is confluent if C R*R* . 

- R is confluent modulo ^ or ^-confluenfl^ if R R* C R* R . 

- R is ^-confluent on ^-classes if R ~ i?* C A* ~ i? . 

- R is locally confluent if RR C R*R . 

- R is locally ^-confluent if RR C i?* ~ i? . 

- i? is locally ^-confluent on ^-classes if i? ~ i? C i?* ~ i? . 

- R is locally ^-coherent if £R C R* ^ R . 

- R and S commute if RS C SR. 

- R ^-commutes on ^-classes if R ^ R C R R. 

Lemma 7. If £ is linear then ~ commutes with (3 and ► . 

Proof. Assume that t — u (/3-reduction at position p) and t -Gs,q v {£- 
reduction at position q) . There are several cases depending on the relative posi- 
tions of the different reductions. 

The definitions of confluence modulo and local confluence modulo are those of [16]. 
They differ from Huet’s definition [15]. Huet’s confluence modulo corresponds to our 
confluence modulo on equivalence classes, but Huet’s local confluence modulo does 
not correspond to our local confluence modulo on equivalence classes. 
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• p and q have no common prefix. Then the reductions clearly commute and 
S[3 C f3E in this case (remember that £ = £). 

• p = q: not possible since left-hand sides of rules are algebraic and distinct 
from a variable. 

• p < q: t\p = [x : A\b a and u = t[b9]p with 9 = {x ^ a}. 

" Reduction in A: v = : A']b a]p with A ~^£ A'. Then, v u and 

Spcp. 

- Reduction in b: v = t[[x : A]b' a]p with b ~^£ b'. Then, v t\b'9]p £*r- u 
and £(3 C (3£. 

~ Reduction in a: u = : A]b a']p with a ~^£ a'. Let 9' = {x a'}. Then, 

V t\b9']p u and £(3 C (3£* . 

• p > q: t = t[la]q and v = t[ra]q. Since left-hand sides of rules are algebraic, 

there is one occurrence of a variable x G FY{1) such that xa -^p w. Let a' 
be the substitution such that xa' = w and ya' = ya if y ^ x. Let a (resp. 

b) be the number of occurrences of x in Z (resp. r). Then, u ~^'p~^ t[la']q ~^£ 

t[ra']q V. Since £ is linear, we have a = 6 = 1 and thus £(} C (3£. 

In conclusion, in every case, we have £(3 C f3£* . By induction on the number 
of f -steps, we get £*f3C j3£*, that is, ^ (3 C /3 Therefore, ~ ► C ► ~ since 

► = /3U ~7?., ~ /3 C /3 ~ C ► ~ and C ► □ 

Corollary 8. If £ is linear and t G SAf{P) then t G 5A/’(~/3). 

Proof Assume that t G SAf{P). We prove that ("^/3)" C /3”~ by induction on 
n. For n = 0, this is immediate. For n -I- 1, (^ = (~ /?)" ^ /3 C /3" ~~ 

P C /3”+i Therefore, t G 5A/’(~ P). □ 

Lemma 9. If £ is linear then — >-*C ►* ~ and 4_= ~ *◄. 

Proof. — >•* C (/3 U f U ^TZ)*. Since ^ P* C /3* ~ and ^ ^7Z C ~7?., we get 
->*C ~ U (~7^)*-^* U P*^*. Therefore, -^*C ►* □ 

Lemma 10. If £ is linear then the following propositions are equivalent: — >■ is 
confluent, ► is ^-confluent, ► is ^-confluent on ^-classes. 

Proof. Since £ is linear, we have — >-*C ►* ~ and ~ C ►* We prove that 

► is ~-confiuent if — >■ is confiuent: * ◄ C C— >•* C ►* ~~ *◄. We 

prove that — >■ is confiuent if ► is ^-confluent: >•’*' C ~ ►*~C~ ►* ~ 

~ C ►* ~~~ We now prove that ► is ~-confiuent on ^-classes if ► is 
^-confluent (the inverse is trivial): 

*◄. □ 

Theorem 11. Type-checking is decidable if>- is weakly normalizing, TZ is finitely 
branching, ► is ^-confluent on ^-classes, £ is linear and ~ is decidable. 

Proof. Type-checking is deciding whether a term t has type T in an environment 
r. A type for t can be easily inferred. Then, one checks that it is equivalent to T 
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(see [10] for more details). Thus, we are left to prove that is decidable. Since 
S is linear and ► is ^-confluent on ^-classes, by Lemma 10, — >■ is confluent and 
4*=i. Since £ is linear, by Lemma 9, Since ► is weakly normalizing 

and finitely branching (^-classes are finite and (3 and TZ are finitely branching), 
one can define a function nf computing a ►-normal form of a term. We prove that 
1 1* u only if nf{t) ~ nf{u) (the inverse is trivial) . Assume that t ►* t' ^ u' *<u. 
Since ► is ^-confluent on ^-classes, nf{t) ~ nf{t') *<t' ~ u' >■* nf(u') ^ nf{u). 
Again, since ► is ^-confluent on ^-classes, there exist t” and u" such that 
nf{t) ~ nf{t') ►* t" ~ u" nf{u') ~ nf{u). Since nf{t') and nf{u') are ►- 
normal forms, we have nf{t) ~ nf{u). □ 

Lemma 12. For all relation R, if R ^-commutes on ^-classes then ^ R is 
^-confluent on ^-classes. 

Proof. Let S = ^ R. We prove that ^ S'" C S'" ^ by induction on n. 

• Case n = 0. By induction on p. The case p = 0 is immediate. Case p -I- 1: 

S^+^ = CS C SiUCe S^ = R = Rr^ = SCr^S. 

• Case n = 1. By induction on p. 

- Case p = 0. ~S* = i?=^i?=S'CS'~. 

- Case p -k 1. ~ S' = SS^ ~ S' C ]SS' - C S since SS ^ = 

R i?~ = i?~i?~Ci?~i?~CS~S'. 

• Casen-kl. S'"+i = SS*" C 5^S" C S'- S^~ S'" C S'- S'" - 

and we prove that S' — S'" — C S""*”^ — by induction on n. The case n = 0 
is immediate. Case n -I- 1: S' — S'"+^ — C S' — S'" — S' — C S'"+^ — S' — C 
S'"+^S' — since — S' = — i? = — i? = S'. □ 

Lemma 13. For all relation R, if R is ^-confluent on ^-classes then ^R is 
^-confluent on ^-classes. 

Proof. If R is —-confluent on —-classes then R* —-commutes on —-classes. Hence, 
by Lemma 12, — i?* is —-confluent on —-classes. Therefore, — i? is —-confluent 
on —-classes since (—1?)* C (— i?*)* and (— i?*)* C (—1?)* — . □ 

Theorem 14. ► is ^-confluent on ^-classes if >■ is strongly normalizing, £ is 
linear, TZ is locally ^-confluent and TZ is locally ^-coherent. 

Proof. We first prove that PUTZ is —-confluent on —-classes. In [15], Huet proves 
that a relation R is —-confluent on —-classes if i? — is strongly normalizing, R is 
locally —-confluent and R is locally —-coherent. We take R = PUTZ and check the 
conditions, i?— is strongly normalizing since ► is strongly normalizing and P and 
— commute {£ is linear). Local confluence: PP C p*p since P is locally confluent, 
TZP C P*TZ* P* after the proof of Lemma 7, and TZTZ CTZ* ^ TZ* by assumption. 
Local coherence: £P Q P£ C /3 — since £ is linear, and £TZ C TZ* ^ TZ by 
assumption. 

So, R = PUTZ is —-confluent on —-classes. Therefore, by Lemma 13, — i? is 
—-confluent on —-classes. We now prove the theorem. We have ►* C (— i?)* and 
(— i?)* C ►* — (/3 and — commute since £ is linear). Thus, *◄ — ►* C (— i?)* — 
(-i?)* C (-i?)* - (77R)* C ►* *<. 



□ 
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Huet also proves in [15] that TZ is locally ^-confluent iff its critical pairs are 
^-confluent, and that TZ is locally ^-coherent if TZ is left-linear and the critical 
pairs between TZ and £ are ^-confluent. So, ^-confluence is decidable whenever 
► is strongly normalizing, ^ is decidable and TZ^J £ is finite: it amounts to 
checking whether the critical pairs between the rules, and between the rules and 
the equations (in both directions), are ~-confiuent. 

Unfortunately, when considering type-level rewriting, confluence is required 
for proving strong normalization. Whether strong normalization can be proved 
by using local confluence only is an open problem. Fortunately, confluence can 
be proved for a large class of rewrite systems without using strong normalization, 
namely the left-linear systems. 

Theorem 15. ► is ^-confluent on ^-classes if £ is linear, TZ is left-linear and 
TZ is ^-confluent on ^-classes. 

Proof. In [24], Van Oostrom and Van Raamsdonk prove that the combination of 
two left-linear and confluent Combinatory Reduction Systems (CRS) TT and ff 
is confluent if all the critical pairs between the rules of TT and the rules of ff are 
trivial. We prove the theorem by taking T~L — TZU £ and ff = (3, and by proving 
that % is confluent. Since Ti* C we have H* H* C~ (~7^)*(~7^)* 

Since TZ is ^-confluent on ^-classes, by Lemma 13, ^TZ is ^-confluent on ^- 
classes. Therefore, - - C ~ ~ (^)* ~ C H*H* . □ 

Again, TZ is ^-confluent on ^-classes if ^TZ is strongly normalizing and TZ is 
locally confluent and ^-coherent, which can be proved by analyzing the critical 
pairs between the rules and between the rules and the equations (when TZ is 
left-linear) [15]. 

7 Conclusion 

In [3,2], we give general syntactic conditions based on the notion of computability 
closure for proving the strong normalization of /3-reduction and (higher-order) 
rewriting. In this paper, we show that the notion of computability closure can 
also be used for proving the strong normalization of /3-reduction and (higher- 
order) rewriting modulo (higher-order) equations. It is interesting to note that, 
in our approach, the introduction of equations does not affect the conditions on 
rules: although based on the same notion, equations and rules are dealt with 
separately. Finally, one may wonder whether our method could be extended 
to Jouannaud and Rubio’s Higher-Order Recursive Path Ordering (HORPO) 
[17,25], which also uses the notion of computability closure for increasing its 
expressive power. 
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Termination of String Rewriting Rules 
That Have One Pair of Overlaps* 
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Abstract. This paper presents a partial solution to the long standing 
open problem whether termination of one-rule string rewriting is decid- 
able. Overlaps between the two sides of the rule play a central role in 
existing termination criteria. We characterize termination of all one-rule 
string rewriting systems that have one such overlap at either end. This 
both completes a result of Kurth and generalizes a result of Shikishima- 
Tsuji et al. 

Key Words and Phrases: semi-Thue system, string rewriting, one- 
rule, single-rule, termination, uniform termination, overlap 



1 Introduction and Related Work 

Whether termination of one-rule string rewriting systems (SRSs) is decidable or 
not, is a long standing open problem [2,3,4,6,10,11,12,13,14,15,17]. A systematic 
approach was started by Kurth [7]. Kurth introduced a number of termination 
criteria to decide termination for all £ —^ r where jrj < 6.^ 

Most of Kurth’s criteria (5 out of 8), and indeed most of the criteria intro- 
duced since, are based on two sets: the set of overlaps of the left hand side (from 
the left end) with the right hand side (from the right end); and the set of overlaps 
of the right hand side (from the left end) with the left hand side (from the right 
end). Kurth’s Criterion D states that we have termination if one or both of the 
two sets are empty. 

In the case where both sets are singletons, we say that the one-rule SRS 
has one pair of overlaps. Kurth [7] provides Criterion F specifically for this 
case. As Criterion F can only prove termination of rules that are left barren or 
right barren, it is incomplete as we will show (Example 2). Shikishima-Tsuji et 
al. [15, Theorem 2] show that a confluent one-rule SRS with one pair of overlaps 
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terminates if and only if there are no loops of lengths 1 or 2. As a consequence 
termination of such SRSs is decidable. 

This paper completely solves the termination problem for one-rule SRSs with 
one overlap pair. We prove that such an SRS terminates if and only if it has no 
loop of lengths 1, 2 or 3 (Theorem 6). This implies decidability of the termination 
problem. 

It turns out that the extension is non-trivial. There are two behaviours that 
were observed neither by Kurth nor by Shikishima-Tsuji et al. Loops of length 3 
is one of them; the other is terminating non-tame rules. 

This paper makes the following original contributions: 

1. Termination of one-rule SRSs with one overlap pair is shown decidable. 

2. Termination of one-rule SRSs with one overlap pair is shown equivalent to 
the non-existence of loops of length 3 or less. 

3. Terminating one-rule SRSs with one overlap pair are shown to have linear 
derivation lengths, unless they are left barren or right barren. 

4. For the first time, a termination criterion for a class of non-tame one-rule 
SRSs is presented. 

The paper is organized as follows. After the preliminaries (Section 2) and an 
introduction to left barren and tame rules (Section 3), we focus on the interesting 
non-tame case. In Section 4, we derive a pattern that describes the non-tame 
rules. In Sections 5 and 6, we solve the non-terminating and terminating non- 
tame rules, respectively. Section 7 finally shows the main theorem of the paper 
and its ramifications. 

2 Preliminaries 

A string rewriting rule is a pair £ — >■ r of strings, £, r G S* where A is a 
given alphabet. A set of string rewriting rules is called a string rewriting system 
(SRS). An SRS R induces a rewrite step relation — >■ defined by s — >■ t if there are 
u,v G A* and a rule £ ^ r in R such that s = u£v and t = urv. The SRS R is 
said to terminate if there is no infinite sequence of rewrite steps si —>■ S 2 —>■... . 

The length of a string u is denoted by |m|. A string u is called a factor of v if 
V = sut for some s, t G A*; a prefix ii v = ut for some t G A*; a suffix if v = su 
for some s G A* . The prefix or suffix u of u is called proper if u v. The set of 
overlaps of a string u with a string v is defined by 

OVL(m, v) = {w G A"*" I u = u'w, V = wvf u'v' £, u', v' G A*}. 

3 Left Barren Rules 

For a fixed one-rule SRS {£ -G r} let A = OVL(r,£) x {0} and B = OVL(£,r) x 
{!}. The labels 0 and 1 are there to make A and B disjoint. By abuse of notation, 
we will confuse elements of A and B with elements of OVL(r,£) and OVL(£,r), 
respectively. 
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For all a G A, the strings £a and are defined hy £ = a£a and r = r^a, 
respectively. Likewise, for all P G B, the strings £/? and are defined by f = £j 3 P 
and r = Prjs, respectively. 

The following definition of “left barren” is after McNaughton’s corrected 
version. The original definition is renamed to “left s-barren” (see Definition 2), 
following a suggestion of Kobayashi et al. [6]. 

Definition 1 (Left barren, right barren [10]). A one-rule SRS {£ -G r} 

is called left barren if £ is not a factor of r and no ia, a G A is a prefix of 
any concatenation r/ 3 , where Pi,...,Pk G B,k > 1. Dually, {£ -G r} is 

called right barren if £ is not a factor of r and no £p,P G B is a suffix of any 
concatenation where a\, . . . ,au G A,k > \. 

A one-rule SRS {£ —>■ r} is called non- overlapping if OVL(^, f) = 0. 

Theorem 1 ([10]). Every non- overlapping, left barren, one-rule SRS termi- 
nates. 



Theorem 2 ([3]). Every left barren one-rule SRS terminates. 

By symmetry w.r.t. reversal of strings also every right barren one-rule SRS 
terminates. 

Definition 2 (Left s-barren, right s-barren [10,6]). A rule £ ^ r is called 
left s-barren if £ is not a factor ofr and no £a,a G A is a prefix of any rp,P G B. 
Dually £ ^ r is called right s-barren if £ is not a factor of r and no £p,P G B 
is a suffix of any ra,a G A. 

A left barren rule is left s-barren, but the converse usually does not hold. 
Indeed we will encounter left s-barren, not left barren rules later in this paper. 
They belong to a class of rules whose termination is particularly difficult to show. 
Next we will define this class. 

In the following definition we consider A, B as alphabets. For a = a±a 2 . . ■ cxk G 
A* we define £a by £a = £a^£ai. ■ ■ ■ £ak ■ And dually, for P = P 1 P 2 ■ ■ ■ Pk G B* we 
define £^ by 

Kobayashi et al. [6] introduced the notion of tame, non-overlapping one-rule 
SRSs. 

Definition 3 (Tame [3]). Let {£ r} be a one-rule SRS. The sets C and D 
are defined by 



C={r' GE*\r = P£^r',PG B,aG A*}, 
D = {/ G E* \ r = r'i-^a, a G A,P G B*}. 

Then £ ^ r is called tame if £ is neither of the form 



ariX2 . . . VkW, 



( 1 ) 
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for any a € A, fc > 1, ri, . . . , G C, and non-empty prefix w of an element of 
C; nor of the form 

wrir2 ■ ■ ■ rjP, ( 2 ) 

for any (3 € B, j >1, ri,...,rjGD, and non-empty suffix w of an element of 
D. 



The following result is implicit in Kobayashi et al. [6, Cor. 5.9]. 

Theorem 3. Every non-overlapping, tame, left s-barren one-rule SRS is left 
barren. 

Theorem 4 ([3]). Every tame, left s-barren one-rule SRS is left barren. 

By symmetry, every tame, right s-barren one-rule SRS is right barren. 

Proof. For a proof by contradiction, assume that f — >■ r is not left barren, i.e., 
some £a is a prefix of some concatenation ’ ‘ ‘ ^/3n ■ be minimal. If 

n = 1 then t' — >■ r is not left s-barren. So n > 2 whence £a is of the form 
^/3 i ^/32 ■ ■ ■ where w is a nonempty prefix of Hence i is of the form (1) 

and so £ — >■ r is not tame. □ 

4 A Reduction of the Problem 

Throughout the remainder of this paper we assume a one-rule SRS {£ — >■ r} that 
has one pair of overlaps, i.e., | OVL(r, ^)| = | OVL(t!, r)| = 1. Let then a, P G 
be defined by OVL(r, = {a} and OVL(^, r) = {/?}. 

We will devote the greater part of the paper to solving the interesting case: 
rules that are left s-barren but neither left barren nor right s-barren. According 
to Theorem 4, these are non-tame, specifically they are of the form (1). In this 
section we will derive the general pattern of such rules. Let us henceforth assume 
that i is not a factor of r and that \£\ < jrj. 

The first pattern is derived without the non-right-s-barren hypothesis. 

Lemma 1. Let i ^ r be left s-barren but not left barren. Then \P\ > jaj and 
£ ^ r is of the form 



a{ww')'^ — >■ Pww' (3) 

for some n>2, w' G S* , and w G . 

Proof. Let £ — >■ r be left s-barren but not left barren. Then we get by the 
respective definitions that £a is not a prefix of rp and that £a is a prefix of r^ 
form some n > 1. Hence rp is a proper prefix of £a. So let £a = r^~^w where 
n > 2, and w is a non-empty prefix of r/3. Let w' G S* be defined by = ww'. 
By back-substitution we get the form (3). From \Prp\ = jrj > \£\ = \ar'^~^w\ we 
conclude |/3| > |q;|. □ 
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We can rule out the case where a and (3 overlap in 

Lemma 2. If £ ^ r is left s-barren but not left barren then |a| + \ j3\ < \£\. 

Proof. Let £ — >■ r be left s-barren but not left barren. By Lemma 1 we get that 
t' — >■ r has the form (3). For a proof by contradiction assume |o;| -I- \(3\ > \£\. Then 
there is a non-empty suffix u oi a such that j3 = u{ww')‘^~^w. Define a' € S* 
by a = a'u. The string a' is non-empty hy j3 ^ £. Thus t and r are of the form 

t = a' u{ww')"‘~^ w , 
r = u(ww ) WWW , 

for some n > 2, w' £ S*, and a', u,w £ 

Now we use the fact that a = a'u, and so u, is a suffix of r = u{ww')"~^www' . 
Let m > 0 be maximal such that is a suffix of u. Define ui £ 

S* hy u = ui{{ww')''~"'www')"' . Then ui is a proper suffix of {ww')"~^www' . 
If Ui is a suffix of ww' then uiw £ OVL(£, r), a contradiction. So ww' is a proper 
suffix of Ml. Let U 2 £ T'“'' be defined by ui = U 2 ww'. Then U 2 is a proper suffix 
of {ww')''~^w. Hence U 2 G OVL(t', r), a contradiction. □ 

Knowing that a and (3 do not overlap in £, we can narrow the pattern for 
the rule: 

Lemma 3. Let £ ^ r be left s-barren but not left barren. Then £ ^ r is of the 
form 

awxyaw -£■ yawwxya (4) 

for some x £ E* and y,a,w G E~^ . 

Proof. Let £ ^ r he left s-barren but not left barren. By Lemma 1 we get that 
£ ^ r has the form (3). Lemma 2 yields |o;| -I- \(3\ < \£\, so /3 is a suffix of 
We distinguish cases whether (3 starts in some w or in some w' . 
Case 1: (3 = w"{w'w)' for some 0 < i < n — 1, and some non-empty suffix w" 
of ic. If i > 1 then w" G OVL(£, r), a contradiction. So z = 0 and (3 = w" . Then 

|r| - 1^1 = |'u;"| -I- |m;| -I- |zz;'| - (|o;| -I- n\w\ + {n- I)|w'|) < 0, 

again a contradiction. 

Case 2: (3 = w"w{w'w)' for some 0 < z < n — 2, and some nonempty suffix 
w" of w' . If z > I then w"w £ OVL(£, r), a contradiction. So z = 0 and (3 = w"w. 
Let w' = xw" for some string x. Then we have 

£ = a{wxw")"~^w, 
r = w"wwxw" , 



and so 



|r| - \£\ = 2|zz;"| -I- 2|'u;| -|- |x| - (|a| + {n- I)|zc"| 3- {n - I)|x| -I- n|zz;|) 
= (3 — n)|zc"| -I- (2 — zz)|z<;| -I- (2 — rz)|a;| — |a|. 
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If n > 3 then |r| — |f| < 0. So n = 2 and |r| — \d\ = |w"| — |a| > 0 whence 
|w"| > |q;|. By definition of a now a is a proper suffix of w" . Let w" = ya for 
some y G We conclude that ^ r is of the form (4). □ 

Adding the non-right-s-barren premise allows us to narrow the rule pattern 
further: 

Lemma 4. If £ ^ r is left s-barren but neither left barren nor right s-barren 
then £ ^ r is of the form 

awx(yawx)’^~^^ aw —>■ yawxawwx{yawx)'^'^^ a (5) 

for some m > 0 , x G S* , and a,w,y G . 

Proof. Let £ — >■ r be left s-barren but neither left barren nor right s-barren. By 
Lemma 3 we get that £ ^ r has the form (4). 

The property that £ — r is not right s-barren means that £fs = awx is a suffix 
of Tq = yawwxy. Recall that x G E* and a,w,y G A+. Let m > 0 be maximal 
such that y"* is a suffix of x. Define xi G S* by x = xiy”^. Then awxi is a 
suffix of yawwxiy and is a proper suffix of y. Define yi G by y = yiXi. 
Then aw is a suffix of yiXiawwxiyi. If yi is a suffix of w then yi G OVL(£, r), a 
contradiction. So ru is a proper suffix of yi. Define 7/2 G by yi = y 2 W. Then 
a is a suffix of y 2 WXiawwxiy 2 - If 7/2 is a suffix of a then y 2 W G OVL(£, r), a 
contradiction. So a is a proper suffix of 7/2- Define 7/3 G E~^ by 7/2 = y^oi. 

By back-substitution we get 



y = yiXi = y2WXi = y^awxi, 

X = xiT/™ = xiiy-iawxi)'^ , 

£ = awxyaw = awxi{y 3 awxi)'^'^^aw, 
r = yawwxya = y 3 awxiawwxi{y 3 awxi)™~^^a. 

and thus the form (5) by the renaming {x\ i-G- x, 7/3 i-G- 7 /}. □ 

The following is interesting to note. It explains why rules of the form (5) 
were not observed by Shikishima-Tsuji et al. 

Theorem 5. All rules of the form (5) are non- confluent. 

Proof. A one-rule SRS {£ — >■ r} where \£\ < |r| is confluent if and only if 
OVL(^, £) C OVL(r, r) by a result of Wrathall [16]. A rule of the form (5) 
satisfies aw G OVL(£,£). If aw G OVL(r, r) then aw G OVL(r,£), a contradic- 
tion to OVL(r,£) = {a}. So aw G OYL{£,£) \ OVL(r, r) whence £ — >■ r is not 
confluent . □ 

In the next two sections we are going to identify the non-terminating and 
the terminating instances of the form (5). 
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5 The Non-terminating Case 

A rule of the form (5) loops in the following case: 

Lemma 5. Let £ ^ r he left s-barren but neither left barren nor right s-barren. 
If £p£j 3 is a suffix of Ua, then the one-rule SRS {£ — >■ r} has a loop of length 3. 

Proof. Like in the proof of Lemma 1, we get £a = r'^~^w and rp = ww' for 
some w G ,w' G S* ,n > 2. In the proof of Lemma 3 we showed n = 2. With 
Tq = vipip for some v G S* , we then get a loop: 



i£a — >■ TaOiia r^r = v£i}£j3j3rfj -G v£fjrrj3 = = virf^r/s 

= v££aw' . □ 

These loops are also instances of Kurth’s criterion for loops of length 3 [8, 
Theorem 2, Case A] . The following little result provides an alternative criterion 
to Lemma 5. 

Lemma 6. //£—>■ r has the form (5) then the following are equivalent: 

1. ipijs is a suffix ofva, 

2. m = 0 and y = y'awx for some y' G 

Proof. Obviously (2) implies (1). Next we show the converse by contradiction. 
Let t' — >■ r have the form (5) and let £p£p be a suffix of Tq. Define v G S* hy 
Va = vifsip. If m > 0 then y is a suffix of yaw and then yaw G OVL(£,r), a 
contradiction. With m > 0, the string awx is a suffix of awwxy. If y is a suffix 
of awx then yaw G OVL(£,r), a contradiction. So awx is a proper suffix of y, 
i.e., there is y' G A+ such that y = y'awx. □ 



Example 1. The one-rule SRS 

bcabcbcbc — >■ abcbcbccabcbcb 



has a loop of length 3: 



bcabcbcbc cabcbcbc — >■ 
abcbcbccabcbc bcabcbcbc 
abcbcbccabcbcabcbcbccabcbcb — >■ 



abcbcbccal bcabcbcbccabcbcbc labcbcb. 



Redexes are underlined. The re-occurrence of the start string is indicated by a 
box. This example provides the smallest non-terminating witness (|r| = 14) of 
Lemma 4. 
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6 The Terminating Case 

For this section let us assume a rule of the form (5) where is not a suffix of 
Tq. We are going to reduce termination of such a rule to termination of an SRS 
R over a different alphabet. Termination of R will be easy to prove. 

Define rs, and by 

r = rs£f}a, r = f3ri3^a<x, r = f3rf}^s£(}a. 

These definitions are sound as witnessed by 

(3 = yawxaw, 

£p = awx{yawx)"^ , 
rs = yawxawwxy, 

‘>'13, a = wx{yawx)'^'^^ , 
rp,s = wxy. 



Lemma 7. Let £ ^ r have the form (5). Then the following rewrite steps exist: 

r^r rsrrjs, r^rs rsrrf3,s, 

rp,ar r/3,srri3, rp,ara r0,srrp,a, ris,ars ^£^r r/3,srrf3,s. 

Proof. Routine. □ 

Lemma 8. Let £ ^ r have the form (5) and let £f 3 £f 3 not he a suffix ofva. Then 
£ is not a factor of any of the following: (1) r\r, (2) rr^, (3) rr^^s’^g''’ !»’>' »'»y 
i>0. 

Proof. For Claim 1, let f > 1 be least such that f is a factor of r^r. Then is 
a suffix of rg because (3 is the only overlap of £ with r. Since £p£j 3 is not a suffix 
of Cq. = rs£j 3 , £f 3 is not a suffix of y. Hence y is a proper suffix of £fs and so of 
yawx. So yaw G OVL(£, r), a contradiction. 

For Claim 2, let £ he a factor of rr^. Because a is the only overlap between 
r and £, we have \£a\ < \>'( 3 \, a contradiction. 

For Claim 3 assume that ^ is a factor of rrp,srgr for some z > 0. By Claims 
1 and 2, £ is neither a factor of rj 3 ,gr\r nor of rrp,^-, so £ is of the form £'ris,srg£'' 
for some 0 < j < z and some non-empty suffix £' of r and some non-empty 
prefix £" of r. Thus £ is of the form arf3,srgl3. If j = 0 then wx{yawx)^ = wxy 
which contradicts y,a G . So j > 0 and y is a proper suffix of £j 3 . We get a 
contradiction by yaw G OVL(f, r). □ 

The six-rule SRS R over C = {a, b, c, d, e, /} is defined as follows: 

R = {g'g" h'fh" I (y', h') G {{a, d), (c, e)}, 

{g",h")G{{a,c),(d,e),if,b)}} 
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Define the weight wt*{x) of a string x by wt{a) = wt{c) = 3, wt{b) = wt{d) = 
wt{e) = wt{f) = 1, and wt*{x\ . . . Xk) = wt{xi). Then R terminates by 

wt*{u) — wt*{v) = {wt{g) — wt{h')) — wt{f) + {wt{g”) — 

= 2 - 1 + 0 > 0 

for all rewrite steps u — v. 

Let the string homomorphism (j) : fl* — >■ S* be defined by </>(a) = ra,4>{b) = 
rg,4>{c) = rg^aA{d) = rs,4>{e) = rp^s,(!){f) = r. By Lemma 7, u v implies 
4>{u) -^e-yr 4>{v) for all u,v G f2*. However we will need the converse direction. 
To this end let us define the regular language M by 

M = {a + d{fe)* + d(/e)*/c)*(a/ + d(/e)*/(c/ + b)) + f. 

Let (j)[M\ denote the set {4>{u) \ u £ M}. We are going to show that {£ —>■ r}- 
reduction steps on can be simulated by i?-reduction steps. First we show 

that i?-reduction preserves 

Lemma 9. If u £ M and u -£r v then v £ M. 

Proof Let {g',h') £ {(a, d), (c, e)} and {g",h") £ {(a, c), (d, e), (/, 6)}. Let u = 
u'g'g"u" £ A4 and v = u'h' fh''u” . Then we derive 

■u' G (a + d(/e)* + d{fe)*fc)* if g' = a, 

u' £ (a + d(/e)* + d(/e)*/c)*d(/e)*/ if g' = c. 

Case 1: g" = a. If g' = a then u” £ M whence v = u'dfcu" G M. If g' = c 
then u" = / whence v = u'efcu" G M. 

Case 2: g" = d. Then 

u” £ ((/e)* + (/e)*/c)(a + d(/e)* + d{fe)*fc)*{af + d{fe)*f{cf + b)) 

+ {ferf{cf + b). 

If g' = a then v = u'dfeu" £ M. If g' = c then v = u'efeu" G M. 

Case 3: g" = /. If g' = a then u" is the empty string and v = u'dfbu" G M. 
If g' = c then u" is again the empty string and v = u'efbu" £ M. □ 

Next we derive a few properties of u G At if </>(u) contains a factor £. 

Lemma 10. Let u £ M and s',s” G S* . If (j){u) = s' is” then u = u'g'g''u" , 
\4){u')\ < |s'| < \4){u'g')\, \(t>{u")\ < |s"| < \(j){g”u")\ for some u',u” £ 12*, 
g' £ {a,c}, g” £ {a,d,f}. 

Proof. Suppose that u G M, s',s" G S* , and (j){u) = s'is" . Let u' G Q* be the 
longest prefix of u such that \4>{u')\ < |s'|. Let u” G f2* be the longest suffix 
of u such that \4>{u”)\ < |s"|. By |</>(u)| > \4>{u'u”)\ there is u G 21+ such that 
u = u'vu" . Define t' ,t" G S* by s' = (j>{u')t' and s" = t" </>(«"). Then 



4>{u) = 4>{u')(j){v)4)(u'') = <j){u')t' it" 
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whence (j){v) = t'it". The case |v| = 1 implies that £ is a factor of r, so |u| > 2. 
We distinguish cases on the form of v. 

Case 1: u G f2*{a+c){a+d+ f)f2* . Let g' G {a, c}, g" G {a, d, /}, v' , v" G C*, 
and let v = v'g'g"v". We further distinguish cases whether v',v” are empty 
strings or not. 

Case 1.1: |u'| = \v"\ = 0. Then v = g'g". By definition of u' we get |t'| < 
\4>{g')\. By definition of u" we get \t"\ < |</)(g")|. The claim follows. 

Case 1.2: |u'| = 0, \v”\ > 0. By |r| > \(.\ and \ra\ > \t\ and u G M we get 
V G (a + c)d'^{a + d+ f). Let v = vogo for some vq G (a + c)d+, and go G {a, d, /}. 
Then there are t' G such that £ = i' I" , 4>{vo) = t'£', and 4>{go) = (-''t” . 
Since (j){go) is a prefix of r, we obtain G OVL(£, r), so = /? and i' = tp. By 
definition of Vq, now 4>{d) = rs = yawxawwxy is a suffix of ip = awx{yawx)'^. 
So m > 0 and y is a suffix of yawx. Then yaw G OVL(£, r), a contradiction. 

Case 1.3: |u'| > 0, |u"| = 0. Let v = vogo for some vq G C+(a + c), and 
go G {a,d,f}. Then there are i',i" G such that £ = £'£", 4>{vo) = t'i', and 
4>{go) = i"t". Since (j){go) is a prefix of r, we obtain £" G OVL(£, r), so £" = [3 
and £' = ip. Then 

K/ll = l</>(i^o)l > l^(c)| = \rp,o\ > \ip\, 

a contradiction. 

Case 1.4: |w'|, |u"| > 0. By |r| > \£\ and \xa\ > \l\ and u G A4 we get g' = c and 
g” = d. So 4>{cd) = rp^aTs is a factor of i, whence \rp^ars\ < \i\, a contradiction. 

Case 2: u G l7+\C*(a + c)(a + d+/)l7*. Define the set of fragments T{z) of a 
string 2 G 17* as follows. If z G (17\{/})* then T{z) = {z}. Else z = zofzi . . . /z„ 
for some n > 1 and unique zo, ■ ■ ■ , Zn G (17 \ {/})*; then 

J^(z) = {zof, fzif, fZn-lf, fZn}. 

From u G M then 

T{u) G{a + dYf + /(e + c)(a + d)* f + fb. 

Because |r| > \i\, and t is not a factor of r, we obtain v G T{v). So 

V G T{u) \ f7*(a + c)(a + d + /)17* = d* f + fed*f + fb. 

By Lemma 8, (f{y) has no factor i, so this case is void. □ 

Now we are ready to state the simulation lemma. 

Lemma 11. Let u G M and t G S* . If (f>{u) t then 4>{v) = t and u -Gr v 

for some v G Ai. 

Proof. Let u G M and s',s",t G S*, and let = s'ts” and t = sVs". By 
Lemma 10 there are u' ,u" G 17*, g' G {a,c}, g" G {a,d,f} such that u = 
u'g'g"u” and \4){u')\ < |s'| < \(j>{u' g')\ and \4>{u")\ < |s"| < \4>{g"u")\. Define 
t',t" G A!* by s' = 4>{u')t' and s" = t"4>{u"). Then 

(j){u) = <t>{u')4){g')4){g")(l){u") = 4>{u')t'it"(j){u"), 
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so By |s"| < we get \t"\ < |^(g")l- Define £" G T+ 

by </)(5") = e"t". Define f G T* by ^ So <t){g') = t'f. By |s'| < \(l>{u'g')\ 

we get \t'\ < 1 ^( 5 ')! so I' G £'+. 

Since ^( 5 ") is a prefix of r, we obtain I" G OVL(^, r), so I" = (3 and I' = 
Define h' ,h”Gf2 by 



if g' = a, 
if g' = c, 



h" = 



if g" = a, 
if 9" = d, 
ifff" = /- 



Then g'g" — >■ h'fh” is in R, and moreover 4>{g') = 4>{h')£i} = t'ljs and 
(j>{g'') = j3(j){h'') = [3t” . So t' = (j>{h') and t” = (j){h'') and so 

t = s'rs" = = <i>{v) 

for V = u'h'fh"u". So u v. By Lemma 9 we get v G M. □ 

We are about to prove termination of — >■ r by a reduction to termination of 
R. For this purpose we still need {£ -G r}-reductions that start in Such 

reductions are provided by forward closures [9,1] as we will show next. We use 
the following characterization of forward closures by Hermann. 

Definition 4 ([5, Corollaire 2.16]). The set of forward closures of a string 
rewriting rule t' — >■ r over alphabet S is the least set FC(^ r) of i ^ r- 
reductions such that 



fcl. r) G FC(£ — >■ r), 

fc2. if (si — t[T) G FC{£ — >■ r) and £ = £' £" for some £',£" G then 
(si£" t[£'£" t[r) G FC(£ ^ r), 

fcS. if (si t[£t'() G FC(£ — >■ r) then (si — t'i£t'( — >■+ tirt") G FC(^ — >■ r). 



Lemma 12. Every forward closure of a rule £ ^ r of the form (5) where £p£f 3 
is not a suffix ofra, has a right hand side in 4>[M\- 

Proof. By induction along the definition of forward closure. Let (s t) G 
FC(£ -G r). In Case (fcl) we have t = r = 4>{f). In Case (fc3) the claim follows 
from Lemma 11. This leaves to prove Case (fc2). 

Suppose that s = si£", t = t[r, (si — >•+ t'^P) G FC(£ — >■ r), and £ = £'£" for 
some £',£'' G By inductive hypothesis, there isuG M such that t'lP = 4>{u). 
By definition of Ai, u has suffix / or fb. 

Case 1: u has suffix fb. Define g' G £2* by u = g' fb. Then 

g' G {a + d{fe)* + d(/e)*/c)*d(/e)* 

by definition of Ai. We distinguish cases whether > jr^jj or not. 

Case 1.1: \£'\ > \rp\. The string t'i£' has suffix (j){fb) = rrg. By \£\ < jr] and 
l^'l > \rfj\ we get £' = zr^ for some non-empty suffix z of r. Now z G OVL(r, f). 
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fio z = a. So = (p{g')rri 3 = whence t'l = (l){g')ra = 4'{g'a). So 

t[r = (j){g'a)r = 4>{g'af) for g'af G M. 

Case 1.2: \£'\ < \rf}\. Then is a suffix of Tf} and so of r. So I' G OVL(r, 
whence i' = a. So t\l' = (j){g'f)rf 3 = cj){g' f)r p , whence = </)(g7)f/3,a = 
So t[r = (j){g' fc)r = (j){g' fcf) for g' fcf G M. 

Case 2: u has suffix /. Define g' & il* hy u = g' f. Then 

g' e {a + d{fer + d{ferfcy 

by definition of Ai. By \£\ < |r| we get that i' G OVL(r,£), whence = a. 
So t'y = (j){g'f) = (j){g')r = ^{g')raf, whence t\ = (j){g')ra = 4>{.g'a). So 
t[r = (j){g'a)r = (l){g'af) for g'af G M. □ 



Lemma 13. A rule £ ^ r of the form (5) terminates if i/sifs is not a suffix of 
Ta- 

Proof. If £ — >■ r is non-terminating then there is an infinite rewriting sequence 
Si Si ■ ■ ■ starting from a right hand side of a forward closure [1]. 

By Lemma 12 si G i.e., there is tti G such that 4>{ui) = si. By 

induction on i, using Lemma 11, one easily proves that for every i there is an 
Mi+i G Ai such that both Ui -Gr Ui+i and 4>{ui+i) = si+i. Hence we get an 
infinite reduction sequence Ui Ui -Gr .... Contradiction to termination of 
R. □ 

Example 2. For every m > 0, the one-rule SRS 

6c(a6c)™+7c ^ abcbcc{abc)"'+y 

is terminating by Lemma 13. With m = 0 we get the smallest terminating 
witness (|r| = 10) of Lemma 4. 

This example also proves that Kurth’s [7] Criterion F is incomplete, for Cri- 
terion F applies only to the left barren or right barren cases [3, Theorem 6.31]. 

We note moreover that the maximal length of a derivation starting with 
s G 27* is linear in jsj. This is a direct consequence of the decreasing weight 
associated with a step u -Gr v. 

7 The Main Theorem 

Now we have all material together to prove our claim. 

Theorem 6. Let |OVL(r,£)| = |OVL(^,r)| = 1. Then {£ — >■ r} terminates if 
and only if it has no loop of lengths 1, 2, or 3. 

Proof Let OVL(r, £) = {a} and OVL(^, r) = {/?}. If £ is a factor of r then 
{£ — >■ r} has a loop of length 1 [7]. Else if \i\ > jrj then {£ -G r} terminates. If 
t' — >■ r is left barren or right barren then \l — >■ r} terminates. So suppose that I 
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is not a factor of r; that \i\ < |r|; and that f — >■ r is neither left barren nor right 
barren. We distinguish cases: 

Case 1: £ — >■ r is neither left s-barren nor right s-barren. Then r = r'if^a and 
r = l3£ar” for some strings r', r”. There is a loop of length 2: 

££a r£a = r'£ffa£a = r'£j3£ — >■ r'£ijr = r'£fi(3£ar” = r' ££ar" ■ 

Case 2: £ — >■ r is left s-barren but not right s-barren. Then f — >■ r has the 
form (5). If £fi£fi is a suffix of then {£ — >■ r} has a loop of length 3 by Lemma 5. 
Else {£ — >■ r} terminates by Lemma 13. 

Case 3: £ — >■ r is not left s-barren but right s-barren. This case is symmetric to 
Case 2: We have a loop of length 3 if £a£a is a prefix of otherwise termination. 

Case 4: f — >■ r is both left s-barren and right s-barren. Then Lemma 1 and 
its dual apply, showing |/3| > |a| and |a| > \f}\, a contradiction. So this case does 
not exist. This finishes the proof. □ 

Since the left barren, right barren, left s-barren, right s-barren properties are 
decidable, one may conclude: 

Corollary 1. Termination is decidable for one-rule SRSs {£ — >■ r} that satisfy 
|OVL(r,£)| = |OVL(£,r)| = 1. 

Corollary 1 also follows directly from Theorem 6 by the decidability of the 
existence of loops of lengths 1, 2, or 3 for one-rule SRSs [8]. 

At the end of the previous section we noted that terminating one-rule SRSs 
that are left s-barren but neither left barren nor right s-barren have linear deriva- 
tion lengths. So terminating one-rule SRSs {£ —>■ r} that satisfy |OVL(r, t')| = 
|OVL(t', r)| = 1 have linear derivation lengths, unless they are left barren or 
right barren. A right barren rule with one pair of overlaps may have exponential 
derivation lenghts: ba — >■ aab admits derivations b'^a — of 5". 

8 Conclusion 

We proved that termination of one-rule SRSs with one pair of overlaps is equiv- 
alent to the non-existence of loops of length less than or equal to 3. Thus we 
showed that termination is decidable for one-rule SRSs with one pair of overlaps. 
A surprising observation in this investigation was the emergence of non-tame 
rules, some admitting loops of length 3, and some terminating. Such rules were 
not covered by the two precursor results by Kurth and by Shikishima-Tsuji et 
al. 
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Abstract. Term rewriting can only be applied if practical implementa- 
tions of term rewriting engines exist. New rewriting engines are designed 
and implemented either to experiment with new (theoretical) results or 
to be able to tackle new application areas. In this paper we present the 
Meta-Environment: an environment for rapidly implementing the syn- 
tax and semantics of term rewriting based formalisms. We provide not 
only the basic building blocks, but complete interactive programming 
environments that only need to be instantiated by the details of a new 
formalism. 



1 Introduction 

Term rewriting can only be applied if practical implementations of term rewrit- 
ing engines exist. New rewriting engines are designed and implemented either to 
experiment with new (theoretical) results or to be able to tackle new applica- 
tion areas, e.g., protocol verification, software renovation, etc. However, rewrite 
engines alone are not enough to implement real applications. 

An analysis of existing applications of term rewriting, e.g. facilitated by for- 
malisms like Asf+Sdf [11], Elan [3], Maude [9], Rrl [14], Stratego [18], 
TXL [10], reveals the following four required aspects: 

— a formalism that can be executed by a rewriting engine. 

— parsers to implement the syntax of the formalism and the terms. 

— a rewriting engine to implement the semantics of the formalism. 

— a programming environment for supporting user-interaction. 

A formalism introduces the syntactic notions that correspond to the operational 
semantics of the rewriting engine. This allows the user to write readable specifi- 
cations. The parsers provide the connection from the formalism to the rewriting 
engine via abstract syntax trees. The programming environment can be either 
a set of practical command line tools, an integrated system with a graphical 
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user-interface, or some combination. It offers a user-interface tailored towards 
the formalism for interacting with the rewriting engine. For a detailed overview 
of rewriting-based systems we refer to [12]. 

Implementing the above four entities is usually a major research and software 
engineering effort, even if we target only small but meaningful examples. It is a 
long path from a description of a term rewriting engine, via language design for 
the corresponding formalism, to a usable programming environment. 

In this paper we present the Meta-Environment: An open architecture of 
tools, libraries, user-interfaces and code generators targeted to the design and 
implementation of term rewriting environments. 

We show that by using the Meta-Environment a mature programming en- 
vironment for a new term rewriting formalism can be obtained in a few steps. 
Our approach is based on well-known software engineering concepts: standard- 
ization (of architecture and exchange format), software reuse (component based 
development), source code generation and parameterization. 

1.1 Requirements 

Real-world examples of term rewriting systems are to be found in many ar- 
eas, including the following ([12]): rewriting workbenches, computer algebra, 
symbolic computation, functional programming, definition of programming lan- 
guages, theorem proving, and generation, analysis, and transformation of pro- 
grams. 

These application areas are quite different, which explains the existence of 
several formalisms each tailored for a certain application domain. Each area 
influences the design and implementation of a term rewriting environment in 
several ways. We identify the following common requirements: 

— Openness. Collaboration with unforseen components is often needed. It asks 
for an open architecture to facilitate communication between the environ- 
ment, the rewriting engine, and foreign tools. 

— Readable syntax. Syntax is an important design issue for term rewriting for- 
malisms. Although conceptually syntax might be a minor detail, a formalism 
that has no practical and readable syntax is not usable. 

— Scalability. Most real-world examples lead to big specifications or big terms. 
Scalability means that the implementation is capable of handling such prob- 
lems using a moderate amount of resources. 

— Graphical User Interface. A GUI with editors is needed. It automates as 
much of the browsing, editing and testing, of specifications as possible. 



The above four issues offer no deep conceptual challenges, but still they stand 
for a considerable design and engineering effort. We offer immediately usable 
solutions concerning each of those issues in this paper. This paves the way for the 
application of new experiments concerning term rewriting that would otherwise 
have cost months to implement. In that sense, this paper contributes to the 
promotion and the development of rewriting techniques and their applications. 
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Fig. 1. A complete environment consisting of a generic part and an Asf specific part 



2 Architecture for an Open Environment 

In Section 3 we discuss the specific components of the Meta-Environment that 
can be used to implement a new term rewriting environment. An example envi- 
ronment is implemented in Section 4. Here we discuss the general architecture 
of the Meta-Environment. 

The main issue is to separate computation from communication. This sepa- 
ration is achieved by means of a software coordination architecture and a generic 
data exchange format. An environment is obtained by plugging in the appropri- 
ate components into this architecture. 

ToolBus. To prevent entangling of coordination with computation in compo- 
nents we introduce a software coordination architecture, the ToolBus [1]. It is a 
programmable software bus based on Process Algebra. Coordination is expressed 
by a formal description of the cooperation protocol between components while 
computation is expressed inside the components that may be written in any 
language. Figure 1 visualizes a ToolBus application (to be discussed below). 

Separating computation from communication means that each of these com- 
ponents is made as independent as possible from the others. Each component 
provides a certain service to the other components via the software bus. They 
interact with each other using messages. The organization of this interaction is 
fully described using a script that corresponds to a collection of process algebra 
expressions. 

ATerms. Coordination protocol and components have to share data. We use 
ATerms [5] for this purpose. These are normal prefix terms with optional an- 
notations added to each node. The annotations are used to store tool-specific 
information such as text coordinates or proof obligations. All data that is com- 
municated via the ToolBus is encoded as ATerms. ATerms are comparable to 
XML, both are generic data representations. Although there are tools for con- 
versions between these formats, we prefer ATerms for efficiency reasons. They 
can be linearized using either a readable representation or a very dense binary 
encoding. 
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ATerms can not only be used as a generic data exchange format but also 
to implement an efficient term data structure in rewriting engines. The ATerm 
library offers a complete programming interface to the term data structure. It 
is used to implement term rewriting interpreters or run-time support for com- 
piled rewriting systems. The following three properties of the ATerm library 
are essential for term rewriting: 

— Little memory usage per node. 

— Maximal sub-term sharing. 

— Automatic garbage collection. 

Maximal sharing has proven to be a very good method for dealing with large 
amounts of terms during term rewriting [4,18]. It implies that term equality 
reduces to pointer equality. Automatic garbage collection is a very practical 
feature that significantly reduces the effort of designing a new rewriting engine 
or compiler. 

Meta- Environment Protocol. The ToolBus and ATerms are more widely ap- 
plicable than just for term rewriting environments. To instantiate this generic 
architecture, the Meta-Environment ToolBus scripts implement a coordination 
protocol between its components. Together with the tools, libraries and program 
generators this protocol implements the basic functionality of an interactive en- 
vironment. 

The Meta-Environment protocol makes no assumptions about the rewriting 
engine and its coordination with other tools. In order to make a complete term 
rewriting environment we must complement the generic protocol with specific 
coordination for every new term rewriting formalism. 

For example, the architecture of the Asf+Sdf Meta-Environment is shown 
in Figure 1. The ToolBus executes the generic Meta-Environment protocol, de- 
picted by the circles in the left-hand side of the picture. It communicates with 
external tools, depicted by squares. The right-hand side of the picture shows a 
specific extension of the Meta-Environment protocol, in this example it is de- 
signed for the Asf+Sdf rewriting engines. It can be replaced by another protocol 
in order to construct an environment for a different rewriting formalism. 

Hooks. The messages that can be received by the generic part are known in 
advance, simply because this part of the system is fixed. The reverse is not true, 
the generic part can make no assumptions about the other part of the system. 

We identify messages that are sent from the generic part of the Meta-Envir- 
onment to the rewriting formalism part as so-called hooks. Each instance of an 
environment should at least implement a receiver for each of these hooks. Ta- 
ble 1 shows the basic Meta-Environment hooks. The first four hooks instantiate 
parameters of the GUI and the editors. The last four hooks are events that need 
to be handled in a manner that is specific for the rewriting formalisms. 
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Table 1. The Meta-Environment hooks: the hooks that parameterize the GUI (top 
half), and events concerning the syntax and semantics of a term rewriting formalism 
(bottom half). 



Hook Description 

environment -name (Name) The main GUI window will display this name 

extensions (Sig, Sem, Term) Declares the extensions of different file types 

stdlib-path(Path) Sets the path to a standard library 

semEoitics-top-sort (Sort) Declares the top non-terminal of a specification 

rewrite (Sig, Sem, Term) Rewrite a term using a specification 

pre-parser-generation (Sig) Manipulate the syntax before parser generation 

rename-semantics(Sig, Binds, Sem) Implement module parameterization 
pre-rewrite (Sig, Spec) Actions to do before rewriting 



3 Reusable Components 

In this section we present reusable components to implement each aspect of 
the design of a term rewriting environment. The components are either tools, 
libraries or code generators. In Section 4 we explain how to use these compo- 
nents to create a programming environment using an example term rewriting 
formalism. 



3.1 Generalized Parsing for a Readable Formalism 

We offer generic and reusable parsing technology. An implementation of parsing 
usually consists of a syntax definition formalism, a parser generator, and run- 
time support for parsing. Additionally, automated parse tree construction and 
abstract syntax tree construction are offered. Table 2 shows a list of components 
related to parsing. 

Syntax. Sdf is a declarative syntax definition formalism used to define modular 
context-free grammars. Both lexical syntax and context-free syntax can be ex- 
pressed in a uniform manner. Among other disambiguation constructs, notions 
for defining associativity and relative priority of operators are present. 

Furthermore, Sdf offers a simple but effective parameterization mechanism. 
A module may be parameterized by formal parameters attached to the module 
name. Using the import mechanism of Sdf this parameter can be bound to an 
actual non-terminal. 

Programs that deal with syntax definitions can use the Sdf library. It pro- 
vides a complete high-level programming interface for dealing with syntax defi- 
nitions. 

Concrete syntax. Recall that a syntax definition can serve as a many-sorted 
signature for a term rewriting system. The grammar productions in the defi- 
nition are the operators of the signature and the non-terminals are the sorts. 





Environments for Term Rewriting Engines for Free! 429 



Table 2. A list of the most frequently used components for Sdf and Asfix 



Tool 


Type 




Description 


pgen 


SDF 


— >■ Table 


Generates a parse table from a syntax definition 


sglr 


Table xStr—> AsFix 


parses an input string and yields a derivation 


implode 


AsFix 


— >■ ATerm 


Maps a parse tree to an abstract term 


posinf o 


AsFix 


— AsFix 


Adds line and column annotations 


unparse 


AsFix 


-O' Str 


Yields the string that is derived by a parse tree 



The number of non-terminals used in a grammar production is the arity of an 
operator. 

Concrete syntax for any term rewriting formalism can be obtained by simply 
expressing both the fixed syntax of the formalism and the user defined syntax 
of the terms in Sdf. A parameterized Sdf module is used to describe the fixed 
syntax. This module can be imported for every sort in the user-defined syntax. 
An example is given in Section 4. 

SGLR. To implement the Sdf formalism, we use scannerless generalized LR 
parsing [7]. The result is a simple parsing architecture, but capable of handling 
any modular context-free grammar. 

Asfix. SGLR produces parse trees represented as ATerms. This specific class 
of ATerms is called Asfix. Every Asfix parse tree explains exactly, for each 
character of the input, which Sdf productions were applied to obtain a deriva- 
tion. A library is offered to be able to create components that deal with Asfix. 

3.2 Establishing the Connection between Parsing and Rewriting 

The Sdf library and the Asfix library can be used to implement the connection 
between the parser and a rewriting engine. Furthermore, we can also automati- 
cally generate new libraries specifically tailored towards the rewriting formalism 
that we want to implement [13]. 

We use an Sdf definition of the new formalism to generate C or Java libraries 
that hide the actual ATerm representation of a parse tree of a specification 
behind a typed interface. The generated interfaces offer: reading in parse trees, 
constructors, getters and setters for each operator of the new formalism. Apart 
from saving a lot of time, using these code generators has two major advantages: 

— The term re writer can be developed at a higher level of abstraction. 

— Programming errors are prevented by the strictness of the generated types. 

3.3 Graphical User Interface 

MetaStudio. The Meta-Environment contains a user-interface written in Java 
(Figure 2). It can be used to browse modules. Every module has a number 
of actions that can be activated using the mouse. The actions are sent to the 
ToolBus. MetaStudio has parameters to configure the name of the environment, 
the typical file extensions, etc. 
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Fig. 2. GUI of the Meta-Environment displaying an import relation. 



Editors. Editing of specifications and terms is done via XEmacs^. To implement 
structure-editing capabilities, XEmacs communicates with another component 
that holds a tree representation of the edited text. 

Utilities. Among other utilities, we offer file I/O and in-memory storage that 
aid in the implementation of an interactive environment. 



4 A New Environment in a Few Steps 

In this section we show the steps involved in designing a new environment. 
We take a small imaginary formalism called “rho” as a running example. It 
is a subset of the p-calculus [8], having first-class rewrite rules and an explicit 
application operator. The recipe to create a RHO environment is: 

1. Instantiate the parameters of the GUI. 

2. Define the syntax of rho. 

3. Write some small RHO specifications. 

4. Implement and connect a RHO interpreter. 

5. Connect other components. 

1. Instantiate the parameters of the GUI: We start from a standard Tool- 
Bus script that implements default behavior for all the hooks of Table 1. We 
can immediately bind some of the configuration parameters of the GUI. In 
the case of rho, we can instantiate two hooks: environment-nameC'The rho 
E nvironment") and extensions (" .sdf " , " .rho" , " .trm"). 

Using the RHO Meta-Environment is immediately possible. It offers the user 
three kinds of syntax-directed editors that can be used to complete the rest of 
the recipe: Sdf editors, editors for the (yet unspecified) RHO formalism, and 
term editors. 

http : //www . xemacs . org 
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W ' enacst Rho.sdf 




W ^ enacs! RhA-Lexical.sdf wQiV' 




File Edit Rule Rpps Options Buffers Tools Keta-Environnen^ 


1 File Edit Hule Rpps Options Buffers Tools Heta-Environnen 


i 


module Rho[Term] S 

imports Rho-Lexical 

exports 

sorts Rho Decl Decls 
context-free syntax 
"rho" Decl* -> Decls 

Id Rho -> Decl 

Term | Id -> Rho 

Rho Rho -0 Rho {right} 

Rho Rho -> Rho (left) . 

n 

IS08 XEmacs : Rho.sdf (Fundamental Pe 




module Rho-Lexical P 

exports 

lexical|syntax 
[A-Za-z] [a-zA-Z0-9]* -> Id 
[\ \t\n] -> LAYOUT 

"%%" "[\n]* "\n" -> LAYOUT 

1308 KEmacs : Rho-Lexical . sdf (FundamI 


Focus symbol: Production 




Focus symbol: Grammar 



Fig. 3. A parameterized syntax definition of the formalism rho. 



2. Define the syntax of RHO; Figure 3 shows how the Sdf editors can be used 
to define the syntax of rho^. It has some predefined operators like assignment 

abstraction ("->") and application but also concrete syntax for 

basic terms. So, a part of the syntax of a RHO term is user-defined. The pa- 
rameterization mechanism of Sdf is used to leave a placeholder (Term) at the 
location where user-defined terms are expected^. The Term parameter will later 
be instantiated when writing rho specifications. 

To make the syntax-directed editors for rho files work properly we now have 
to instantiate the following hook: semantic-top-sort ("Decls"). The parame- 
ter "Decls" refers to the top sort of the definition in Figure 3. 

3. Write some small RHO specifications: We want to test the syntax of the new 
formalism. Figure 4 shows how two editors are used to specify the signature and 
some rules for the Boolean conjunction. Notice that the Rho module is imported 
explicitly by the Booleans module, here we instantiate the Term placeholder 
for the user-defined syntax. In Section 3 we explain how to add the imports 
implicitly. 

We can now experiment with the syntax of RHO, define some more operators, 
basic data- types or start a standard library of RHO specifications. For the GUI, 
the location of the library should be instantiated using the stdlib-path hook. 

4- Implement and connect a RHO interpreter: As mentioned in Section 2, the 
ATerm library is an efficient choice for a term implementation. Apart from that 
we present the details of the connection between a parsed specification and an 
implementation of the operational semantics of rho. The algorithmic details of 
evaluating rho are left to the reader, because that changes with each instance 
of a new formalism. 

The rewrite hook connects a rewriting engine to the RHO environment: 
rewrite (Syntax, Semantics, Term) From this message we receive the informa- 
tion that is to be used by the rewriting engine. Note that this does not prohibit 
to request any other information from other components using extra messages. 

^ For the sake of brevity, Figure 3 does not show any priorities between operators. 

® Having concrete syntax of terms is not obligatory. 
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W ^ enacst Booleans.^ 

I^File^^Edit^Jfule^^flpps^^Options^^Buffers^^ools^Jleta-Environne^ 



module Booleans 
imports RhoflBool] 
exports sorts Bool 
context-free syntax 
"true" I "false" - 
Bool "K" Bool - 
variables "B" - 



Bool 

Bool {left) 
Bool 



ISOS — **-XEmacs : Booleans . sdf 



( Fundament | 



Focus symbol: ModuleName 



^ WMCst Booleans.rho 



1 File Edit Rule flpps Options Buffers Tools 


lleta-Environnen^ 


rho 








conjl 

conj2 


:= true & B -> B 
:= false & B -0 false 






test 


:= conjl . true & false 






ISOS- 


XEmacs : Boo 1 eans . rho 


(Fundament 1 


Focus 


symbol: Rho 




_ 



Fig. 4. A definition of the Boolean conjunction in Sdf+rho. 



The input data that is received can be characterized as follows: Syntax is a list of 
all Sdf modules (the parse-trees of Rho . sdf and Booleans . sdf ) . Semantics is a 
list of all RHO modules (the parse-tree of Booleans. rho). Term is the expression 
that is to be normalized (for example a parse-tree of a file called test .trm). 

Two scenarios are to be considered: either a RHO engine already exists, or 
a new engine has to be designed from scratch. In the first case, the data-types 
of the Meta-Environment will be converted to the internal representation of the 
existing engine. In the second case, we can implement a new engine based on 
the data-types of the Meta-Environment directly. In both cases the three data- 
types of the Meta-Environment are important: Sdf, Asfix and ATerms. The 
libraries and generators ensure that these cases can be specified on a high level 
of abstraction. We split the work into the signature and semantics parts of rho. 

Signature. To extract the needed information from the user-defined signature the 
Sdf modules should be analyzed. The Sdf library is the appropriate mechanism 
to inspect them in a straightforward manner. 

Semantics. Due to having concrete syntax, the list of parse trees that repre- 
sent RHO modules is not defined by a fixed signature. We can divide the set of 
operators in two categories: 

— A fixed set of operators that correspond to the basic operators of the formal- 
ism. Each fixed operator represents a syntactical notion that should be given 
a meaning by the operational semantics. For rho, assignment, abstraction, 
and application are examples of fixed operators. 

— Free terms occur at the location where the syntax is user-defined. In rho 
this is either as the right-hand side of an assignment or as a child of the 
abstraction or application operators. 

There is a practical solution for dealing with each of these two classes of 
operators. Firstly, from an Sdf definition for rho we generate a library specif- 
ically tailored for rho. This library is used to recognize the operators of RHO 
and extract information via an abstract typed interface. For example, one of the 
C function headers in this generated library is: Rho getRuleLhs (Rho rule). A 
RHO interpreter can use it to retrieve the left-hand side of a rule. 

Secondly, the free terms can be mapped to simple prefix ATerms using the 
component implode, or they can be analyzed directly using the Asfix library. 
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The choice depends on the application area. E.g., for source code renovation 
details such as white space and source code comments are important, but for 
symbolic computation this information might as well be thrown away in favor 
of efficiency. 

In the case of an existing engine, the above interfaces are used to extract 
information before providing it to the engine. In the case of a new engine, the 
interfaces are used to directly specify the operational semantics of rho. 

5. Connect other components: There are some more hooks that can be instan- 
tiated in order to influence the behavior of the Meta-Environment. Also, the 
RHO part of the newly created environment might introduce other components 
besides the rewriting engine. 

We give two examples here. The pre-parser-generation hook can be used 
to extend the user-defined syntax with imports of the RHO syntax automatically 
for each non-terminal. Secondly, the pre-rewrite hook hook can be used to 
connect an automatic verifier or prover like a Knuth-Bendix completion proce- 
dure. 

Adding unanticipated tools is facilitated at three levels by the Meta-Envir- 
onment. Firstly, an Sdf production can have any attribute to make it possible 
to express special properties of operators for the benefit of new tools. An exam- 
ple: B B -> B { left, lpo-precedence(42) }. Secondly, any ATerm can be 
annotated with extra information without affecting the other components. For 
example: andCtrue , false) {not-reduced}. Finally, all existing services of the 
Meta-Environment are available to the new tool. It can for example open a new 
editor to show its results using this message: new-editor (Contents) 

5 Instantiations of the Meta-environment 

We now introduce the four formalisms we have implemented so far using the 
above recipe. We focus on the discriminating aspects of each language. 

Asf [11] is a term rewriting formalism based on leftmost-innermost normaliza- 
tion. The rules are called equations and are written in concrete syntax. Equations 
can have a list of conditions which must all evaluate to true before a reduction 
succeeds. The operational semantics of Asf also introduces rewriting with layout 
and traversal functions [6] , operators that traverse the subterm they are applied 
to. 

The above features correspond to the application areas of Asf. It is mainly 
used for design of the syntax and semantics of domain specific languages and 
analysis and transformation of programs in existing programming languages. 
From the application perspective Asf is an expressive form of first-order func- 
tional programming. The Meta-Environment serves as a programming environ- 
ment for Asf. 

Elan [3] is based on rewrite rules too. It provides a strategy language, allowing 
to control the application of rules instead of leaving this to a fixed normalization 
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strategy. Primitive strategies are labelled rewrite rules, which can be combined 
using strategy basic operators. New strategy operators can be expressed by defin- 
ing them in terms of less complex ones. Elan supports the design of theorem 
provers, logic programming languages, constraint solvers and decision procedures 
and offers a modular framework for studying their combination. 

In order to improve the architecture, and to make the Elan system more 
interactive, it was decided to redesign the Elan system based on the Meta-Envir- 
onment. The instantiation of the Elan environment involved the implementation 
of several new components, among others an interpreter. Constructing the Elan 
environment was a matter of a few months. 

The p-calculus [8] integrates in a uniform and simple setting first-order rewriting, 
lambda-calculus and non-deterministic computations. Its abstraction mechanism 
is based on the rewrite rule formation. The application operator is explicit, 
allowing to handle sets of results explicitly. 

The p-calculus is typically a new rewriting formalism which can benefit from 
the the Meta-Environment. We have prototyped a workbench for the complete 
p-calculus. After that, we connected an existing p-calculus interpreter. This ex- 
periment was realized in one day. 

The JITty interpreter [17] is a part of the pCRL [2] toolset. In this toolset 
it is used as an execution mechanism for rewrite rules. JITty is not supported 
by its own formalism or a specialized environment. However, the ideas of the 
JITty interpreter are more generally applicable. It implements an interesting 
normalization strategy, the so-called just-in-time strategy. A workbench for 
the JITty interpreter was developed in a few hours that allowed to perform 
experiments with the JITty interpreter. 

6 Conclusions 

Experiments with and applications of term rewriting engines are within much 
closer reach using the Meta-Environment, as compared to designing and engi- 
neering a new formalism from scratch. 

We have presented a generic approach for rapidly developing the three major 
ingredients of a term rewriting based formalism: syntax, rewriting, and an en- 
vironment. Using the scalable technology of the Meta-Environment significantly 
reduces the effort to develop them. We used our approach to build four envi- 
ronments. Two of them are actively used by their respective communities. The 
others serve as workbenches for new developments in term rewriting. 

The Meta-Environment and its components can now support several term 
rewriting formalisms. A future step is to build environments for languages like 
Action Semantics [15] and Tom [16]. Apart from more environments, other future 
work consists of even further parameterization and modularization of the Meta- 
Environment. Making the Meta-Environment open to different syntax definition 
formalisms is an example. The Meta-Environment can be downloaded via: 
http : //www. cwi .nl/projects/MetaEnv 
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Abstract. This paper gives a bottom-up logic programming formula- 
tion of the Hindley-Milner polymorphic type inference algorithm. We 
show that for programs of bounded order and arity the given algorithm 
runs in 0{na(n) + dn) time where n is the length of the program, d is 
the “scheme depth” of the program, and a is the inverse of Ackermann’s 
function. It is argued that for practical programs d will not exceed 5 
even for programs with hundreds of module layers. This formulation of 
the Hindley-Milner algorithm is intended as a case study in “logical algo- 
rithms”, i.e., algorithms presented and analyzed as bottom-up inference 
rules. 



1 Introduction 

This paper is a case study in the use of bottom-up logic programming for the 
presentation and analysis of complex algorithms. The use of bottom-up logic 
programming for algorithm presentation has been developed in a recent series 
of papers whose main contributions are theorems governing the running time of 
these programs [6,1,2]. This paper explores the use of these run time theorems 
for the presentation and analysis of the Hindley-Milner type inference algorithm 
used in the ML and Caml programming languages [7]. It is known that for 
programs where procedures can take an unbounded number of arguments and 
be of unboundedly high order (procedures which take procedures which take 
procedures ...) the type inference problem is complete for exponential time [4,5]. 
In practice human written procedures never take more than twenty arguments 
and are never more than fifth order. It is known that for bounded order and arity 
the type inference problem can be done in polynomial time [3]. However, I am 
not aware of a published analysis giving a particular polynomial running time 
for this problem. This paper gives an inference rule presentation of a version of 
the Hindley-Milner type inference algorithm and shows that this version runs 
in time 0{na{n) + dn) where d is the “scheme depth” of the program. The 
algorithm presented here is very similar to the one described in [8] although no 
formal analysis of running time is given there. Section 5 defines scheme depth 
and argues that it can be expected to be less than 5 even for programs with 
hundreds of module layers. 



R. Nieuwenhuis (Ed.): RTA 2003, LNCS 2706, pp. 436-451, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 




A Logical Algorithm for ML Type Inference 437 



2 The LDP Programming Language 



Here we use (essentially) the logic programming language and run time model 
specified in [2] . For convenience we will here refer to this programming language 
as LDP for Logic programs with Deletions and Priorities. It is important to note 
that deletions and priorities have been widely discussed in the logic programming 
literature. The main contribution of [2] is the definition of an abstract notion of 
running time and a proof that this abstract definition of running time can be 
implemented on a conventional random access computer. This run time result is 
stated in section 3. We now define an LDP program to be a set of inference rules 
where an inference rule is specified by the category r in the following grammar. 

N = i I n I N 1 +N 2 I * A ^2 
H = x\ /(n, . . . , Tfe) 
t = H\N 

A = P(n, . . . , Tfc) I Ni < N 2 
c = P{ti, ..., Tfc) I del(P(Ti, ..., Tfc)) 

r = Ai, . . . , An — >■ Cl, . . . ,Ck with priority N 

Every variable in the priority N occurs in A\. 

If Ai = P{ti, ... tk) then Ai does not contain + or *. 

If Ai = Ni < N 2 then every variable in Ai occurs in some Aj for j < i. 
Every variable in Ci occurs in some Aj. 

This is two-sorted grammar with a sort for Herbrand terms (H) and a separate 
sort for integers {N). There are two sorts of variables — Herbrand variables such 
as cc in the grammar for H and integer variables such as i in the grammar for 
N. In the grammar for integers, n ranges over any integer constant. We allow 
predicates and functions to take either sort as arguments although we assume 
that each predicate and function symbol has a specified arity and a specified 
sort for each argument and all applications of predicate and function symbols 
must respect this specification to be well formed. The function symbol / in the 
grammar for Herbrand terms should be viewed as a data constructor. 

The inference rules are to be run bottom-up. For rules not involving dele- 
tion, a state of the system is a database of assertions which grows monotonically 
by adding new assertions derivable from some rule and assertions already in 
the database. When deletion is involved each rule states that its conclusion ac- 
tions are to be taken taken whenever its antecedents are satisfied. The actions 
are either additions to, or removals from, a database of assertions of the form 
P(ti, . . . , T„). A particular use (instance) of a rule involves particular values 
for all the variables of that rule. Given values for the variables in the first an- 
tecedent, a rule is associated with an integer priority where the integer 1 is the 
highest priority (priority 1 rules run first). Priorities smaller than 1 are treated 
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source(w) 

(Dl,l) 

dist(u, 0) 



dist(w, d) 

dist(w,d') dist(w,d) 

d' < d E(v, c, u) 

(D2,l) (D3,d+2) 

del(dist(w, d)) dist(ti, d + c) 

Fig. 1. Dijkstra Shortest Path. 



as equivalent to 1 but (instances of) rules with larger priority values run only if 
no higher priority rule instance can run. 

Figure 1, taken from [2], gives an LDP implementation of the Dijkstra short- 
est path algorithm. The input is an initial database containing assertions of the 
form E{v, c, u) stating that there is an edge from w to m of cost c plus an assertion 
of the form source(u) stating that v is the source node. In the figure each rule is 
given a name and a priority. For example, rule D2 has priority 1 while rule D3 
has priority d-|-2 where the integer variable d occurs in the first antecedent of the 
rule. Different uses of the rule D3 run at different priorities. This has the effect 
that distances are established in a shortest-first order as in the normal Dijkstra 
shortest path algorithm. The general run time model for inference rules given 
in section 3 implies that these rules run in O(eloge) where e is the number of 
initial assertions. Note that d' < d can be written as d' -I- 1 < d. 

We now consider the operational semantics an arbitrary set of LDP rules 
in more detail. A ground assertion is one not containing variables or arith- 
metic operations. A program state is a set S of ground assertions of the form 
P(ti, . . . , tk) and deletion assertions of the form del(P(ti, . . . , tk))- Deletion 
actually adds an assertion of the form del(P(ti, . . . , tk)) so that the set D grows 
monotonically over the execution of the algorithm. However, only the positive 
elements of D that have not been deleted are “visible” to the antecedents of the 
inference rules. Once a ground assertion has been both asserted and deleted new 
assertions or deletions of that ground assertion do not change the state of the 
database. Let r be the rule Ai, . . . , A„ — >• Ci, . . . , Cm at priority N. Let cr be a 
substitution assigning (ground) values to all the variables in the rule r. The pair 
(r, a) will be called an instance of r. The instance (r, cr) is called pending at 
state S if each antecedent a{Ai) holds in the state S and firing the rule would 
change the state, i.e., S ^ SU {cr(Ci), . . . , cr(Cm)}. We say that state S can 

a 

make an i?-transition to state S', written S — >■ S' , if there exists a pending rule 
instance (r, a) with r G R such that no pending stance of a rule in R has higher 
priority and S" is S'U {cr(Ci), . . . , a{Cm)} where Ci, . . . , Cm is the conclusion of 
r. We say that IF is a final state for R on input S if no rule instances are pend- 
ing in W and W is reachable from S' by a sequence of i?-transitions. One should 
think of i? as a (don’t care) nondeterministic procedure for mapping input S to 
output IF. 
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3 The Running Time of LDP Programs 

We say that R terminates on input S if there is no infinite sequence S\, S 2 , S 3 , 

R 

. . . such that S = Si and Si — >■ S'i+i. The Dijkstra shortest path algorithm in 
figure 1 terminates even if we assign all rules priority 1 so that they can fire 
in any order. However, we are interested here in much more refined analysis of 
running time when the rule set is implemented on a conventional random access 
computer. To make statements about conventional running time we introduce 
the notion of a prefix firing. A prefix instance of r with n antecedents is a triple 
(r, i, a) where 1 < f < n and cr is a ground substitution defined on (only) the 
variables occurring in the antecedent prefix A\, . . . , of r. Intuitively, a prefix 
instance is a way of instantiating the first i antecedents of the rule. Let W be 
a final state of input S for rule set R. An atomic formula P{ti, . . . , tfc) in IT 
will be said to have been asserted and will be said to have been deleted if IT 
contains del(F(ti, . . . , tk))- An assertion is visible to the antecedents of rules if 
it has been asserted but has not been deleted. 

Definition: A prefix firing of a rule r over a final state IT is a prefix 
instance (r, i, a) of r such that cr(Ai), . . ., a{Ai) have all been asserted 
(and possibly also deleted) where Ai, . . Ai are the first i antecedents 
of r. 

The basic result in [6] is that for a rule set R in which all rules have priority 
1 (and can therefore fire in any order), and where no rule involves deletion, the 
(unique) final state can be computed time proportional to the number of prefix 
firings over the final state. This bound also holds for rules with fixed priorities 
(no variables in the priority expressions) and deletions. However the run time 
bound from this “naive” count of prefix firings is typically quite loose for rule sets 
involving deletions and priorities. Rather than count all prefix firings we want 
to only count the “visible” prefix firings. To define the visible prefix firings we 

consider computation histories. A complete i?-computation from A is a sequence 

R 

Si, S 2 , ■ . St such that = S, Si ^ Si+i and St is a final value of S, i.e., 
there are no instances of rules in R that are pending in St- 

Definition: A state S is said to be visible to a prefix instance (r, i, a) 
if no pending instance of a rule in R has priority higher than the priority 
of (r, i, cr). A prefix firing (r, i, a) over the final state of a computation 
is said to be visible in a computation if either i = 1 and r is variable 
priority or the computation contains a state S visible to (r, i, a) such 
that cr(Ai), . . . a{Ai) all hold in S (have been asserted but not deleted) 
where Ai, . . ., Ai are the first i antecedents of r. 

Every visible prefix firing is a prefix firing over the final state, but the vis- 
ible prefix firings are usually only a small fraction of the prefix firings. A first- 
antecedent prefix firing is just a prefix firing (r, i, a) with i = 1. The following is 
the main theorem of [2]. 
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Theorem 1. If the rule set R terminates on initial state S then a complete R- 
computation from S can he computed on a RAM machine extended with constant 
time hash table operations in time proportional to [S'] + Pi + P 2 logiV where [S'! 
is the number of assertions in S, Pi is the number of visible prefix firings of 
fixed priority rules; P 2 is the number of visible prefix firings of variable priority 
rules; and N is the number of distinct priorities of first- antecedent prefix firings 
of variable priority rules. 

To see how this theorem can be applied we now give a running time analysis 
of the Dijkstra shortest path algorithm shown in Figure 1. Note that for a state 
to be visible to (an instance of) a rule there must not be any pending higher 
priority rule. States where no high-priority rule is pending often satisfy certain 
invariants. The priority of a state is the priority of a highest-priority (lowest 
integer) pending rule instance (or -l-oo if there are no pending rule instances). 
The rule D2 ensures that in any state with priority 2 or larger we have at most 
one distance associated with each node. So this invariant holds in any state 
visible to the rule D3. The priority of an instance of rule D3 is determined by 
the value of the integer variable d appearing in the first antecedent — shorter 
distances get higher priority. Note that when an instance of D3 runs all pending 
rule firings involve priorities at least as large as d. Since an invocation of rule D3 
must generate a bound at least as large as d, all future bounds will be at least as 
large as d. Hence, in any state with priority d-|-2 or greater, any visible assertion 
of the form dist(t6, d) must have the property that d is the actual shortest distance 
to the node u. Hence, for a given node u there is only one value of d used in a 
full firing of rule D3. This implies that the total number of firings of the first two 
antecedents of D3 is at most the number of edges in the graph. Each firing of D2 
occurs in a state immediately following a firing of D3 and for each firing of D3 
there is at most one firing of D2. Hence the total number of firings of D2 is also at 
most the total number of edges. Furthermore, this implies that the total number 
of assertions of the form dist(rt, d) ever asserted is at most e. All of these “ever- 
asserted” assertions must be included as prefix firings of the first antecedent of 
the variable priority rule D3. However, for the two antecedent prefix firings of 
D3 we need only consider a single value of d for each value of u. Hence the total 
number of prefix firings is 0(e). The number of distinct priorities associated with 
rule D3 is at most e. So the abstract run time of rule D3 is O(eloge). The run 
time of D3 dominates and the algorithm runs in O(eloge) time. 

4 Union-Find 

Figure 2, taken from [2], gives an LDP implementation of the union-find algo- 
rithm. The algorithm is not particularly elegant, but it does show that LDP with 
its associated abstraction notion of run time is sufficiently powerful to express a 
useful implementation of union-find. Note that these rules all have priority either 
1 or 2. The rules take as input assertions of the form union (x,j/) and produce as 
output assertions of the form find (a;,/). Any state in which no union-find rules 
are pending, e.g., any state with priority 3 or lower (numerically larger), satisfies 
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union(a:, y) 

(UF1,1) 

nofind(a;) 

nofind(j/) 



union(a:, y) 
find(a;, z) 
f\nd{y,z) 

(UF4,1) 

del(union(a:, y)) 



merge{x,y) 
size(a;, si) 
size(j/, s2) 
si < s2 

(UF7,1) 

del(merge(®, y)) 
find.arc(a;, y) 
del(size(j/, s2)) 
s\ze{y, si + s2) 



find(a;,y) 

(UF2,1) 

del(nofind(a;)) 



nofind(a;) 

(UF5,2) 

find(a;, x) 
size(a:, 1) 



merge{x,y) 
s\ze{x, si) 
s\ze{y, s2) 
s2 < si 

(UF8,1) 

del(merge(®, y)) 
find.arc(j/, x) 
del(size(x, si)) 
size(a:, si + s2) 

Fig. 2. Union-Find 



f\nd{x,y) 
find.arc(j/, z) 

(UF3,1) 

find(a;, z) 
del(find(a;, y)) 



union(®, y) 
find(a;, x') 
find(i/, 2 /') 

(UF6,2) 

merge{x',y') 



E{x,c,y) E{x,c,y) 

find(a:, 2 ) (ST2,c+4) 

find(y, 2 ;) union(a:,y) 

(ST1,3) out{x, c,y) 

del{E{x,c,y)) 

Fig. 3. Minimum Spanning Tree 



the invariant that for any x there is at most one y satisfying find(a;,y) and that 
the find map defined by the find relation implements the equivalence relation 
defined by the input union assertions. This implementation uses greedy path 
compression. The number of visible prefix firings (the abstract running time for 
fixed priority rules) is O(nlogn) where n is the number of union operations. 
Figure 3, also taken from [2], shows an O(nlogn) LDP implementation of a 
minimum spanning tree algorithm based on this implementation of union-find. 
The input is a set of assertion of the form E{x,c,y) and the output spanning 
tree is a set of assertions of the form out(a;, c, j/). An 0(na(n)) implementation 




442 David McAllester 



of union-find can also be given in LDP but requires that union assertions carry 
time stamps and that a time-stamped find request is made each time one accesses 
the find relation. This makes it difficult to write rules, such as rule STl in fig- 
ure 3 , whose antecedents notice changes in the find map. In many applications 
of union-find, such as the spanning tree algorithm in figure 3 , the union-find 
processing time is dominated by other computations (such as the priority queue 
implicit in rule ST 2 ) and the O(nlogn) implementation of union-find suffices. 

5 Polymorphic Type Inference 

Polymorphic type inference can be formulated for the lambda calculus extended 
with an explicit let constructor and a constant for the numeral zero. The lambda 
calculus with let and zero is the set of expressions defined by the following 
grammar. 

X = termvar(id) 

e = a; I 0 I lambda(x, e) | let(x, ei, 62) | apply(ei, 62) 

Note that this grammar represents each expression of the lambda calculus ex- 
plicitly as an LDP data structure. Variables are represented by LDP data struc- 
tures of the form termvar(id) where id is the “identifier” of the variable and can 
be any LDP data structure (ground term). It is interesting to note that one 
can easily write LDP programs that “gensym” new variables to avoid variable 
capture in operations such as substitution. More specifically, in implementing 
substitution on the lambda calculus one must be able to construct a variable 
X that is guaranteed not to occur in a given expression e. But note that the 
variable termvar(e) cannot occur in e. I will write (ci 62) as an abbreviation 
for apply(ei, 62) and write (/ei, 62, ..., e„) as an abbreviation for the “Cur- 
ried application” (. . . ((/ei)e2) . . . e„). I will also sometimes write \x. e as an 
abbreviation for lambda(a;, e). I will also write \x\X2- e for \x\. Xx2- e 

The type inference algorithm described here runs in 0 {na(n) + dn) time 
where d is the scheme depth of the input program. To define scheme depth we 
first say that the position of ei in the let expression let(a;, ei, 62) is a scheme 
formation position. As described below, these scheme formation positions are 
the position in the program where polymorphic type inference creates a type 
scheme. The scheme depth of a position p in the program is the number of 
scheme formation positions above p. For example, one might have a sequence 
of module definitions where each module can use definitions from the previous 
module. Conceptually, the sequence of module definitions is analogous to the 
following pattern of let bindings. 

Iet(mi, M2, let(TO2, M2, let(m3, M3...))) 



Each module Mi might consist of a sequence of procedure definitions analogous 
to the following let bindings. 



Mj — let(/i, Fi, let(/2, F2, let(/3, F3, ...))) 
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Each procedure might be defined with a sequence of let expressions as follows 

f^ = Xxi,...Xn let(yi, ei, let(j/2, 62, Iet(y3, 63, ...))) 

Typically the expressions e* that give the values of let-bound variables inside 
individual procedure definitions do not themselves contain let expressions. So an 
arbitrarily long sequence of dependent models, each consisting of an arbitrarily 
long sequence of dependent procedure definitions, each consisting of an arbitrar- 
ily sequence of dependent let expressions, only has scheme depth 3 . It seems 
unlikely that the scheme depth ever exceeds 5 in human written programs. 

Hindley-Milner type inference is a process by which the various variables and 
subexpressions of a given input expression are assigned types. Here we consider 
only one primitive data type — the type of integers. Finite (nonrecursive) types 
are generated by the following grammar. 

T = a I int I arrow(ri, T2) 

In this grammar a ranges over type variables. The type arrow(Ti, T2) is the type 
assigned to procedures which take as an argument a value in the type t\ and 
produce as an output a value in the type T2. I will often write t\ — >■ T2 as an 
alternate notation for arrow(ri, T2) and write Ti x ••• x r„ —>■ cr as an alternate 
notation for ti — >■ (t 2 — >■ • • • cr). If r is the type <t — >■ 7 then I will sometimes 
write domain(T) for the type a and range(r) for the type 7. 

The basic constraint in type inference is that in each application (ei, 62) the 
expression ei must be assigned a type of the form r — >■ u where 62 is assigned the 
type T and the application (ei, 62) is assigned the type a. Type inference is done 
by unification of type expressions. For each application (ei 62) we introduce the 
following constraints. 

type.of(ei, pi) = domain(type.of(ei, p\)) range(type.of(ei, p\)) 
type.of(e2, P2) = domain(type.of(ei, pi)) 
type.of((ei 62), ps) = range(type.of(ei, pi)) 

Expressions of the form type.of(e, p) are treated as type variables. In poly- 
morphic type inference different occurrences of the same expression can be as- 
signed different types as will be explained below. In a type variable of the form 
type.of(e, p) we have that p names a position in the input expression at which 
the expression e occurs. Unification is used to construct the most general solution 
to the type constraints. 

Figure 4 gives the top level structure of the polymorphic type inference pro- 
cedure. The procedure definitions are abbreviations for inference rules given in 
figure 5 . The input to the top level procedures in figure 4 is a single expression 
of the form do(analyze(e, root)) where e is a closed lambda expression whose 
variables have been renamed so that each variable is bound at only one position 
in e. The basic constraints for application are installed by the first procedure 
in figure 4 . The input expression e is typable by polymorphic recursive types 
if and only if the rules in figures 4 , 6, 7 , 8, and 9 do not generate clash. These 
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procedure analyze(apply(ei, 62), p) 

[analyze(ei, down(p, 1)); 

analyze(e2, down(p, 2)); 

assert. declare. arrow(type.of(ei, down(p, 1))); 

assert. eq.types(type. of (e2, down(p, 2)), 

domain(type.of(ei, down(p, 1)))); 
assert. eq.types(type.of(apply(ei, 62), p), 

range(type.of(ei, down(p, 1))))] 

procedure analyze(0, p) 

[assert. int.type(type. of (0, p))] 

do(analyze(termvar(id), p)) 
monomorphic(termvar(id)) 

(Al, 4 ) 

eq.types(type.of(termvar(id), p), type.of(termvar(id))) 
done(analyze(termvar(id), p)) 

do(analyze(termvar(id), p)) 
polymorphic(termvar(id), s) 

(A 2 , 4 ) 

make.copy(s, p) 

eq.types(type.of(termvar(id), p), , copy(s, p)) 
done(analyze(termvar(id), p)) 



procedure analyze(lambda(a:, e), p) 

[assert. monomorphic(a;); 
analyze(e, down(p, 2)); 

assert. declare. arrow(type.of(lambda(a;, e), p)); 

assert. eq.types(type. of (x), domain(type.of(lambda(a;, e), p))); 

assert. eq.types(type.of(e, down(p, 2)), range(type.of(lambda(a;, e), p))) ] 

procedure analyze(let(a;, ei, 62), p) 

[analyze(ei, down(p, 2)); 

assert. make. scheme(type. of (ei, down(p, 2)), p); 
assert. polymorphic(a;, sch(type.of(ei, down(p, 2)), p)); 
analyze(e2, down(p, 3 )); 

eq.types(type.of(let(a;, ei, 62), p), type.of(e2, down(p, 3 ))) ] 

Fig. 4. Hindley-Milner Type Inference: Fundamental Structure 



figures give a complete machine-executable implementation of the polymorphic 
type inference procedure. This procedure allows recursive types by not perform- 
ing any occurs-check in the unification procedure. Recursive types can be viewed 
as infinite type expressions with a finite number of distinct subexpressions. For 
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do(/(ti, f„)) 

(PI, 4) 

do([ai; . . . ; a„]) 



do(sequence(al, 02)) 

(P3,4) 

do(ai) 



do(/(ti, f„)) 
done([ai; . . . ; a„]) 

(P2,4) 

done(/(ti, t„)) 

do(sequence(ai, 02)) 
done(ai) 

(P4,4) 

do(a2) 



do(sequence(ai, 02)) 

done(ai) 

done(a2) 

(P5,4) 

done(sequence(oi, 02)) 



do(assert.P(®i, x„)) 

(P6 1) 

P{xi, . . . , x„) 
done(assert.P(xi, *„)) 



Fig. 5 . Implementing Procedures. Defining /(ti, . . . , t„) to be [ai; . . . ; On] abbreviates 
the rules PI and P 2 above. The notation [ai;a2] abbreviates sequence(ai, 02) and 
[ai; 02; . . . ; On] abbreviates [oi; [02; • • . ; an]]. Rule P 6 is assumed to be present for every 
action constructor of the form assert. P. 



eq.types(r, o) 

(Ul,l) 

type.var(r) 
type.var((r) 
union(r, o) 



declare. arrow(r) 

(U2, 1) 

type.var(r) 

type.var(domain(r)) 

type.var(range(r)) 

decl.struct(r, domain(r), range(r)) 



int.type(r) 

(U3, 1) 

type.var(r) 



type.var(a) 

(U4,l) 

no.struct(a) 



struct(a, P, 7) 

(U5,l) 

del(no. struct («)) 



decl.struct(a, /?, 7) 
no.struct(a) 

(U6,2) 

struct(a, P, 7) 



struct(a, P, 7) 
find.arc(a, a') 

(U8,l) (U9,l) 

decl.struct(a', P, 7) 



decl.struct(Q, P, 7) 
struct(a, P' , 7') 

(U7,l) 

union(/ 3 , /?') 
union(7, 7') 

int.type(r) struct(a, P, 7) 

find.arc(T, o) int.type(a) 

(UlO.l) 

int.type(o-) clash 



Fig. 6 . Type Unification 
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example there is a recursive type r satisfying the following fixed point equation. 

T = int — 5- T 

It is possible to add occurs-check rules if one wishes to avoid recursive types. 

In Hindley-Milner type inference, expressions can have polymorphic types 
— different occurrences of a procedure can have different types. For example, 
consider a composition operator comp satisfying the following equation. 

((comp f g) x) = (/ (gx)) 

For any types ti and T2 the composition operator can be assigned the type 
(ti — >■ T2 ) X (ti — >■ T2) — >■ (ti — >■ T2). For the polymorphic composition operator 
the types Ti and T2 can be different for different uses of the operator. For example, 
the same composition operator can be used to compose functions from integers 
to integers in one place and to compose functions on floating points in another 
place (in a language with floating point numbers) . The type of the polymorphic 
composition operator is often written as follows. 

comp : Va, /3, (a — >■ /?) x (a — >• /?) — >• (a — >• /?) 

In Hindley-Milner type inference polymorphism is restricted to let-bound 
variables. If the top level expression does not involve let then the rules in figures 
4 and 6 suffice for type inference. Figures 7, 8, and 9 handle polymorphism. The 
basic idea is that when the procedure analyzes a let expression it makes the type 
of the let-bound variable polymorphic. This is done by converting the type to a 
type scheme which is then instantiated with fresh type variables for each use of 
the let bound variable. 

It is instructive to first consider the case of expressions without let. In this 
case we can ignore rule A2 and the last procedure definition in figure 4. Since 
the rules for polymorphic type inference do not involve variable-priority rules, to 
analyze the run time of the procedure it suffices to count the number of visible 
prefix firings. The number of prefix firings of the rules implicit in figure 4 is 
proportional to the number of expressions analyzed, i.e., the number of positions 
occupied in the input expression. The number of occupied positions corresponds 
to the written length of the expression and I will simple call this number “the 
size of the input” and denote it by n. To finish the analysis it suffices to count 
the number of visible prefix firings in the union-find rules in figure 2 and of 
the unification rules in figure 6. The input to the unification module consists 
of assertions of the form declare. arrow(cr), int.type(cr) and eq.types((j, r). The 
output is the assertion clash if the constraints are unsatisfiable and otherwise 
the output consists of the union-find equivalence relation on the set of type 
expressions plus assertions of the form struct(o;, /?, 7) which implies that a = 
/? — >■ 7. The rules maintain the invariant that for any a there is at most one 
assertion of the form struct(a, /3, 7). Note that, with the exception of rule 
U2, the unification rules do not introduce new expressions. In fact the number 
of expressions generated by the rules is no more than linear in the number 
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type.var(a) arrow. type(a) 

(MS1,1) (MS2,1) 

unbound(o;) del(unbound(a)) 



int.type(a) 

(MS3,1) 

del(unbound(a)) 



make.scheme(r, p) 
find(r, t') 
struct(r', a, 7) 

(MS4,1) 

sch.struct(sch(r, p), sch(o-, p), 
make.scheme(cr, p) 
make.scheme(7, p) 



make.scheme(r, p) 
find(r, r') 
int.type(r') 

(MS5,1) 

;h(7,p)) int.scheme(sch(r, p)) 



make.scheme(r, p) 
find(r, t') 
unbound(r') 
scheme. depth(r', i) 
scheme. depth(p, j) 
i < j 

(MS6,2) (MS7 

free.var(sch(r, p), t') 

Fig. 7 . Making i 



make.scheme(r, p) 
find(r, t') 
unbound(r') 
scheme. depth(r', i) 
scheme. depth(p, j) 

j < i 

2 ) 

bound. var(sch(r, p), sch(r', p)) 
Type Scheme 



make.copy(s, p) 
sch.struct(s, t, v) 

(Cl, 3) 

declare. arrow(copy(s, p)) 
eq.types(domain(copy(s, p)), copy(t, p)) 
eq.types(range(copy(s, p)), copy(u, p)) 
make.copy(f, p) 
make.copy(u, p) 



make.copy(s, p) 
int.scheme(s) 

(C2,3) 

int.type(copy(s,p)) 



make.copy(s, p) 
free.var(s, t') 

(C3,3) 

eq.types(copy(s,p), r') 



make.copy(s, p) 
bound. var(si, S2) 

(C4,3) 

eq.types(copy(si,p), copy(s2, p)) 



Fig. 8. Copying a Type Scheme at Program Position p 
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(Dl,l) 

scheme. depth(root, 0) 



do(analyze(let(a;, ei, 62), p)) 
scheme. depth(p, d) 

(D2,l) 

scheme. depth(down(p, 2), d + 1) 
scheme. depth(down(p, 3), d) 



do(analyze(lambda(x, e), p)) do(analyze(apply(ei, 62), p)) 

scheme. depth(p, d) scheme. depth(p, d) 

(D3,l) (D4,l) 

scheme. depth(down(p, 2), d) scheme. depth(down(p, 1), d) 

scheme. depth(down(p, 2), d) 



type.var(type.of(e, p)) type.var(copy(s, p)) 

scheme. depth(p, d) scheme. depth(p, d) 

(D5,l) (D6,l) 



scheme. depth(type.of(e, p), d) 



scheme. depth(x, di) 
scheme. depth(x, d2) 
di < d2 

(D7,l) 

del(scheme.depth(a:, d2)) 



scheme. depth(copy(s, p), d) 



scheme. depth(a:, d) 
find.arc(®, y) 

(D8,2) 

scheme. depth(p, d) 



scheme. depth(a, d) 
struct(a, P, 7) 

(D9,3) 

scheme. depth(/3, d) 
scheme. depth(7, d) 

Fig. 9. The Computation of Scheme Depth 



of assertions input to the unification process. This implies that the number 
of (uncompressed) underlying find arcs in the union-find assertions is also no 
more than linear in the number of inputs to unification. The number of prefix 
firings of the unification rules can be seen to be proportional to the number 
of find arcs and hence the number of prefix firings of the unification rules is 
proportional to the number of input assertions. In let-free programs the number 
of inputs to unification is proportional to the number of positions occupied in 
the input expression. Because the unification rules use only the uncompressed 
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find arcs a lazy path compression unification algorithm can be used. This gives 
na{n) type inference procedure for let-free programs. The lazy path compression 
algorithm can also be used with the full polymorphic type inference procedure. 
While linear time unification is appropriate for let-free programs, in the presence 
of polymorphism one must alternate unification processing with type scheme 
construction and this alternation prevents the use of linear time unification. 

To understand the subtleties of the polymorphic case consider the following 
expression. 

Ay.let(/, Xx.y, e) 

In this case multiple occurrences of / in e can have different domain types but 
must all have the same range type. The range type of / is the type of the 
lambda-bound variable y which can be determined from the contexts into which 
the overall lambda expression is embedded. In the Hindley-Milner type inference 
algorithm we assign / and y the following type. 

y ■■ /? 

/ : Va, a ^ (3 

Note that in this type a is a bound type variable while /3 is a free type variable. 
In general, when the procedure constructs a type scheme it must distinguish type 
variables which can be universally quantified (the bound type variables) from 
the type variables which must be left free. Each type variable has a position in 
the program where it is created. In a let expression let(a;, ei, 62) type variables 
created in e\ are candidates for quantification in the type scheme. However, the 
expression Ci usually contains free variables such as y in the above example. 
The types associated with the free variables in Ci cannot be generalized. A type 
that is provably equal to a range type or a domain type of an ungeneralizable 
type is also ungeneralizable. To determine which types are generalizable we us 
the notion of scheme depth defined earlier. The formal definition of the scheme 
depth of a position is given by rules D1 through D4 in figure 9. We first say 
that a type a is provably a subexpression of a type /3 if a is provably equal 
to [3 (the union-find structure equates them) or a is of the form domain(7) or 
range(7) where 7 is provably a subexpression of (3. Each type variable has a 
creation depth and an inferred depth. The inferred depth of a is the creation 
depth of the shallowest type variable (3 such that a is provably a subexpression 
of (3. Rules D5 and D6 in figure 9 install the creation depth of type variables 
and rules D7, D8, and D9 compute inferred depth. A variable can be bound by 
the universal quantifier at scheme creation time as long as its inferred depth is 
no less than the depth of position at which the scheme is being created. 

Figure 7 gives rules for creating type schemes. We leave it to reader to deci- 
pher the meaning of these rules. One point concerning their complexity should 
be noted however. The find assertions in the antecedents of these rules obvi- 
ously should only be instantiation with the find values that are in place when 
the scheme is constructed. This can be achieved by adding an antecedent of the 
form active(p) to each rule where this assertion is only true during the computa- 
tion of the scheme for position p. With this modification it is easy to check that 
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the number of visible prefix firings of the rules in figure 7 is proportional to the 
number of nodes in the scheme created. For programs of bounded order and arity 
there is a constant upper bound on the number of nodes in each scheme. The 
rules for making a scheme are consistent with the use a lazy path compression 
version of union-find. 

The rules in figure 8 copy a type scheme at a particular program location. 
The number of visible prefix firings of these rules is proportional to the size of the 
scheme being copied. If schemes have a bounded size then the total time taken 
to create and copy schemes is proportional to the size of the input program (the 
number of occupied positions). In this case the total number of type variables 
is also proportional the size of the input program so the time spent inside a 
lazy path compression version of union-find is 0(na{n)). The number of visible 
prefix firings of rule D7, D8, and D9 in bounded by the size of the program (the 
number of type variables) times the number of depths, i.e., the scheme depth of 
the deepest scheme position. This gives a total running time of 0{na{n) + dn) 
where n is the length of the program and d is the scheme depth of the program. 



6 Conclusions 

This paper is a case study in the use of bottom-up logic programming extended 
with priorities and deletions in presenting and analyzing algorithms. Efficient 
Hindley-Miler type inference seems to be a challenging algorithm to both formu- 
late and analyze. The algorithm presented here is essentially the one used in ML 
and Caml implementations. Although beauty is in the eye of the beholder, it can 
at least be argued that the inference rule presentation of the algorithm is clearer 
both respect to its correctness and with respect to its running time than is any 
presentation of the algorithm using traditional control structures. Of course the 
top level procedure in figure 4 uses classical procedural control structures. How- 
ever, the implementation of unification and the depth propagation seems easier 
in inference rules that classical control structures. Also, inference rules provide a 
different form of modularity than is possible in classical programs. The unifica- 
tion algorithm can be given as a separate module that uses a union-find module 
without modification. Depth propagation can be done with yet another module. 
The complexity analysis of these modules can be done separately (modular ly). 
This modularization seems difficult with classical control structures. The use of 
inference rules also seems to facilitates the treatment of recursive types. 

In comparing the algorithm in figures 4, 6, 7, 8, and 9 to other presentations 
it is important to keep in mind that the these figures contain machine readable 
code. Machine readable code is usually less clear than informal descriptions 
of algorithms written in English. A fair comparison would require comparing 
these figures to a machine-readable implementation in an some more traditional 
programming language. 

Bottom-up logic programming is clearly not the best tool for all applications. 
However, it is hoped that this case study demonstrates that presenting and 
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analyzing complex algorithms as bottom-up logic programs is indeed feasible 
and perhaps provides greater clarity than traditional approaches. 
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Abstract. One problem in computational group theory is to find a pre- 
sentation of the subgroup generated by a set of elements of a group. The 
Reidemeister-Schreier algorithm was developed in the 1930’s and gives 
a solution based upon enumerative techniques. This however means the 
algorithm can only be applied to finite groups. This paper proposes a 
rewriting based alternative to the Reidemeister-Schreier algorithm which 
has the advantage of being applicable to infinite groups. 



1 Introduction 

In computational group theory [3], one tries to reason about various properties 
of groups which are finitely presentable, ie groups defined as the quotient of the 
free group on a set of generators by a set of relations. One of the most common 
approaches to these sorts of problems is based upon enumerative techniques [7] 
with another being based upon string rewriting [2,11]. Although the former are 
more widely used, their enumerative nature means they are limited to groups 
with finitely many elements. 

One problem in computational group theory is to find a presentation of the 
subgroup generated by a set of elements of a group. The Reidemeister-Schreier 
algorithm [7] was developed in the 1930’s and gives a solution based upon enu- 
merative techniques. This paper proposes a rewriting based alternative to the 
Reidemeister-Schreier algorithm which has the advantage of being applicable to 
infinite groups. A prototype has been implemented and we are currently dis- 
cussing with the GAP-group how to bring it up to the standard required for 
integration into the GAP [4] distribution. 

Typically a group is given by a monoid presentation consisting of a set of 
generators X and equations i? and we are interested in finding a presentation 
of the subgroup H generated by a set of words Y C X*. It is clear that in gen- 
eral one can take as a generating set for H the disjoint union of Y with itself. 
One half of this union will represent the elements of V in 77 while the other 
half will represent their inverses. However, the difficult question is to take the 
relations of R, which may refer to words not in Y, and recast them so that they 
only mention words built from Y and its inverses. To do this, words wi and W 2 
built from Y but equal under R are considered as rewrite sequences and thus 
the question becomes when should two rewrite sequences be equal. This takes 
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us into the world of logged [6] or labelled rewriting as is found in Levy equiv- 
alence [9], rewriting logic [10] and 2-categorical models of rewriting [12]. Our 
central idea is that two rewrite sequences are equal if they arise through the 
analysis of critical pairs as found in Knuth-Bendix completion [8] . Thus, Knuth- 
Bendix completion is not only a mechanism for completing rewrite systems, but 
in addition the process of how this completion occurs contains valuable com- 
putational information. Since our equations are a by-product of Knuth-Bendix 
completion, our algorithm can be applied to infinite groups unlike the standard 
Reidemeister-Schreier algorithm. In more detail, our algorithm is broken down 
onto three parts. 

— Subgroups are intimately connected with the behaviour of the associated 
cosets. The first step of our procedure is to define a coset rewriting system 
to solve the coset membership problem which asks when two elements of the 
group belong to the same coset. 

— By attaching labels to the rewrites of the coset rewriting system we obtain 
witnesses to the solution of the coset membership problem. 

— Finally, the critical pairs of the coset rewriting system, when labelled, yield 
the presentation of the subgroup. 

As well as providing an application of rewriting, we were pleasantly surprised 
that our algorithm used some of the theory of rewriting, in particular sesqui- 
categories [12], Levy equivalence [9] and the interaction of these structures with 
Knuth-Bendix completion. We are aware that certain readers will not be familiar 
with these sesqui-categories but we only use the language of sesqui-categories 
to organise definitions and there is no deep categorical content which could 
put the reader off. Possibly more of a problem is the group theory used here 
which, although only of an undergraduate level, some readers may not have 
met. We have addressed this issue by including all relevant definitions and giving 
references. However, in the end, it is the nature of applications of rewriting to 
use concepts from outside the core of rewriting. 

The paper is structured as follows. Section 2 contains all the group theoretic 
definitions required, while Section 3 addresses the coset membership problem. 
Section 4 gives our algorithm for obtaining a presentation of a subgroup while 
Section 5 contains two examples which we hope the reader will use to help 
understand the paper. We finish in Section 6 with some concluding remarks. 

2 A Brief Introduction to Group Theory 

This section contains all the basic definitions from group theory needed within 
this paper. A more detailed exposition of this material can be found in any text 
on computational group theory [3] . Since this paper is addressed to a rewriting 
audience, standard rewriting knowledge as in [1,2] will be assumed. 

A monoid M consists of a triple M = {X, o, e) where o is an associative binary 
operation on X with unit e. A group G consists of a quadruple G = {X, o, e) 
where (A, o, e) is a monoid and is a unary operation on X such that for all 
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X € X, x~^ is an inverse for x under o. As is common practice, we use the same 
notation for a group and its underlying carrier set. A monoid homomorphism / : 
Ml — >■ M2 between monoids is a function on the underlying sets which preserves 
the unit and composition. A group homomorphism is a monoid homomorphism 
between the underlying monoids as such monoid homomorphisms automatically 
preserve the inverse operation. We use the group S '3 of rotations and reflections 
of an equilateral triangle as a running example throughout this paper. 

Example 1. The group S3 of rotations and reflections of an equilateral triangle 
has as elements {l,a,aa,ab,ba,b} where a is a rotation by 120 degrees and b is 
a reflection around one axis. Composition, inverses etc are left to the reader. 

Given a set X, the free monoid X* on X consists of finite sequences of ele- 
ments of X. This set is also called the set of words over X. The monoid structure 
on X* has as unit the empty word 1 and composition given by concatenation of 
words. Given a set X, we write X + X for the disjoint union of X with itself. 
Typical elements of {X + A)* are written x\^ ■ ■ ■ x^ where each Xi £ X and 
6i £ — } to denote which half of the disjoint union each element comes from. 

In practice we write x^ simply as x. The free group Fg(X) on a set X is the 
quotient of {X + A)* by the relations xx~ = 1 = x~x. Freeness of these struc- 
tures allow us to define monoid homomorphisms A* — >■ M by giving functions 
A — >■ M and group homomorphisms Fg{X) — >■ G by giving functions A — >■ G. 

2.1 Monoid Presentations and Group Presentations 

Most groups are not free. A larger class of groups which include many of practical 
importance and for which effective computational methods exist are the finitely 
presentable groups. These are defined via monoid presentations [3]. 

Definition 2 (Monoid Presentation). A monoid presentation for a group G 
is of the form mon{X\R) , where X is a finite set and R is a finite subset of 
X* X A* such that G is isomorphic (as a monoid, and hence a group) to the 
quotient of A* by the least congruence containing R. 

Given a monoid presentation of a group G by mon{X\R) we denote by 9 : 
X* -£ G the quotient morphism assigning to each word its equivalence class in 
the group. Note that 9 is surjective and a monoid homomorphism. Also given 
w £ A*, we know that 9{w)~^ £ G and by surjectivity there is a word z £ A* 
such that 9(z) = 9(w}~^. Abusing notation, we denote this word by w~ since it 
is a word representing the inverse of the word w under 9 in G. Of course, w~ is 
not uniquely defined and we ensure we deal with this whenever required. 

As an example of a monoid presentation, consider S3. Three rotations pro- 
duce the identity transformation of the triangle, so do two reflections and also 
a rotation, reflection, rotation and reflection. In fact all other equivalences of 
rotations and reflections can be deduced from these facts. Thus, 

Example 3. S3 is presented by mon{ a, 6 | = 1, b^ = 1, abab = 1 ). 
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The most famous problem in computational group theory is the word prob- 
lem: Given a group presentation mon{X\R) and any two words w and w' in X* , 
is it the case that w w' where is the least congruence on X* containing 
R. This problem is in general undecidable but there are a number of approaches 
which solve the problem under certain circumstances. The most common is based 
upon string rewriting and Knuth-Bendix completion [1,2]. Given a monoid pre- 
sentation, one orients each pair (u,v) € i? as a rewriting rule u v, and proves 
the resulting rewriting relation is strongly normalising and confluent. Then ev- 
ery word has a computable unique normal form and w ^r w' iff the normal 
form of w is equal to that of w' . If, as is most likely, the rewriting relation is 
not strongly normalising and confluent, Knuth-Bendix completion can attempt 
to obtain a rewriting relation -^r' which is strongly normalising, confluent and 
which generates the same congruence as -^r. 

Example 4. Knuth-Bendix completion (with word length as termination order) 
of the presentation of gives the following complete rewriting system. 

aaa — >■ 1 66 — >■ 1 aab — >■ ba 

aba — >■ 6 baa — >■ ab bob — >■ aa 

This paper tackles the problem of finding a presentation for a subgroup of a 
finitely presentable group. Subgroups are intimately connected with cosets and 
so we turn to the definition of these concepts. 

Definition 5 (Subgroup). A subgroup of a group G is a non-empty subset 
H C G such that e € H and H is closed under composition and inverses. 

Examples of subgroups of are {1}, {1, a, aa} and {1, 6}. If iJ is a subgroup 
of G, we can divide or partition G hy H into what are called cosets. 

Definition 6 (Cosets). Let H he a subgroup of G. Define an equivalence rela- 
tion on G by X x' iff there is an h & H such that x = hx' . The cosets of H 
in G are written as G/H and defined to be the equivalence classes of G under 
The coset of an element x € G is written Hx. 

The data used in our rewriting alternative to Reidemeister-Schreier consists 
of a presentation of the group and a set of words which generate the subgroup. 

Definition 7 (Coset Presentation). A coset presentation is a triple {X, S, Y) 
where X is a set, S C X* x X* and Y C X* . 

Implicitly a coset presentation P is assumed to determine the following: 

— A group Gp defined via the monoid presentation (A, S). 

— A monoid homomorphism 6 : X* — >■ Gp. 

— A subgroup Hp of Gp defined to be the least subgroup of Gp containing 
the set 6{Y). Alternatively, Hp consists of all elements of Gp of the form 
^(yi)— ^ ■ ■ ■ ^(yn)— ^ where each yi G Y. 
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We now fix a coset presentation (X,S,Y), omit the subscript P and speak 
simply of the group G and the subgroup H. Any set of generators for H must 
have enough words to represent each element of H. Clearly Y + Y provides such 
a set since 6{y) can be represented by y, 0{y)~^ by y~ and composites of the 
form 0{yi)—^ ■ ■ ■ 0(y„)±^ can be represented by words over Y + Y . Of course 9 
restricts to a map Y ^ H which extends uniquely to a monoid homomorphism 
9 : {Y + Y)* H hy setting 9{y~) = 9{y)~^. Further evidence that H can be 
expressed as a quotient of {Y + y)* is the following lemma: 

Lemma 8. Let be the kernel of 9. Then H is isomorphic to {Y +Y)* / 

Proof. We construct a bijection between {Y+Y)* /^g and H. Given h £ H, we 
have seen that h is of the form 9{w) for some w G (Y+y)*. Thus h is mapped to 
the equivalence class of w under In the reverse direction, given any equiv- 
alence class [w] € {Y+Y)* / we map [w] to 9(ia). That these definitions are 
independent upon the various choices and are mutually inverse are straightfor- 
ward and left to the reader. 



Unfortunately the congruence does not give us a presentation and thus we 
must try to re-axiomatise it as equations using only symbols from y -|- y. 

3 The Coset Membership Problem 

The first step of our algorithm for obtaining a presentation of the subgroup 
H is to solve the coset membership problem which asks when two elements of 
the group belong to the same coset. We do this by rewriting over the set JLX* 
defined by introducing the formal symbol Lf and defining 

HX* = {ffw I w G A*} 

We stress that in this context, JL is just a formal symbol in the same way that 
elements of X* are just formal words. The distinction between H used here as 
such a formal word and H used elsewhere as a subgroup mirrors the distinction 
between the words in X* and their equivalence classes as elements of a group. 
Coset rewriting systems are defined as follows: 

Definition 9 (Coset Rewriting System). If P = {X, S, Y) is a coset presen- 
tation, a coset rewriting system (CRS) for P consists of a pair R = (Rg,Rh) 
where Rq Q X* x X* and Rh Q HX* x HX* such that: 

— The relations Rq and S generate the same congruence. That is and 
are the same or, equivalently, (X,Rg) is a monoid presentation of G. 

— If {Hw,Hw') G Rh, then (as cosets) H9{w) = H9{w'). 

— If h £ H, then there is a w £ X* such that h = 9{w) and Hw H. 

The congruence used in the third clause of Definition 9 is generated from 
the rewriting relation -£r defined as the union of the rewriting relations -£R(; 
and -£rh on HX*. In turn these are defined as follows: 
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>-_Rg= { (Hulv,Hurv) \ (l,r) £ Rq, u,v £ X* }, 

— ^Rh= { \Hwv,Hw'v) I {Hw, Hw') £ Rh , v £ X* }. 

The intuition underlying Definition 9 is that Rq gives another presentation 
of G — since we will be using Knuth-Bendix completion Rq cannot simply be 
taken to be S. We may then think of Rh as performing computation on G, ie 
rewriting on i?G-equivalence classes. By regarding a CRS as a proof system, the 
first of the conditions of Definition 9 is the soundness and completeness of Rg 
with respect to S, the second condition is the soundness of Rh with respect to 
the subgroup H while the final condition is the completeness of R wrt H. 

As with usual rewriting systems, CRSs are closed under inverses and disjoint 
unions. Formally, if i? is a CRS its inverse R~^ is the CRS with rules in the reverse 
direction. Similarly, given two CRSs Ri and R 2 for the same coset presentation, 
the union Ri + R 2 is the CRS whose rules are the union of the rules of i?i and 
i? 2 - The following is an easy lemma. 

Lemma 10. If R is a CRS, so is its inverse Similarly, if Ri and R 2 are 
CRSs for the same coset presentation, so is i?i + i? 2 - 

There are two key lemmas we wish to establish about CRSs; firstly that CRSs 
can be used to decide the coset membership problem and secondly that a coset 
presentation defines an initial CRS. 

Lemma 11. If R = {Rg, Rh) is a CRS for a coset presentation {X, S, Y), then 
the cosets G/H are in 1-1 correspondence with the equivalence classes HX* / ^h- 

Proof We define functions (j) : G/H -£ HX* / and if : HX* / >■ G/H; 

check they are well defined given that their definitions depend upon representa- 
tives of cosets and equivalence classes; and prove they are mutually inverse. 

To define <p consider a coset Hg. Surjectivity of 9 means there is an Xg £ X* such 
that 9{xg) = g. Set (f{Hg) = [Hxg\. We show this definition is independent of the 
choice of g and the word Xg. Given a yg such that 9{yg) = g, then Pg Xg and 
hence pg ~_Rg Xg. Thus [Hxg] = [Hpg]. Given a g' such that Hg' = Hg, there 
is an h £ H such that g' = hg. Thus there is a w £ X* such that 9{w) = h and 
Hw H. Thus 9{wxg) = g' and hence (f{Hg') = [HwXg] = [Hxg] = (f{Hg). 
Define if by mapping an equivalence class [Hw] to the coset H9{w). If [Hw] = 
[Hw'] we must show that H6{w) = H9{w'). Without loss of generality, as- 
sume Hw' is a one-step rewrite of Hw using either — or — Either i) 
Hw = Hlv -£rh Hrv = Hw' where {HI, Hr) £ Rh in which case H9{w) = 
H9{lv) = H0{l)9{v) = H9{r)9{v) = H9{rv) = H0{w') where H9{1) = H9{r) 
is the second condition in a CRS; ii) Hw = Hulv -£rq Hurv = Hw' where 
(l,r) £ Rg in which case 9{w) = 9{w') since ^Rc=^s and 9 identifies S- 
equi valent words. 

Finally, (f{if[Hw]) = (f{H9{w)) = [Hw] since we may choose w from the preim- 
age of 9{w). In the other direction if{<f{Hg)) = if{[Hxg]) = H9{xg) = Hg where 
Xg is an arbitrary element such that 9{xg) = g. 

The other lemma we want is that CRSs actually exist. In fact, a coset pre- 
sentation actually defines an associated CRS. 
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Lemma 12. If P = (X,S,Y) is a coset presentation, define 

Pg = S and PH = {{Hy,H)\y€Y}U{{Hy-,H)\y€Y} 

Then Pq = {Pg, Ph) is a CRS henceforth called the initial CRS generated by P. 

Proof. We have three conditions to verify. The first is trivial and so is the second 
since if y G Y, then 9{y),9{y)~^ G H. Next, let K consist of those elements h G H 
such that there is a word 2 such that 9{z) = h and Hz H. We want to prove 
H C K. Clearly K contains all elements of the form 9{y) for y G Y. K is also 
trivially closed under multiplication. We finish by showing K is closed under 
inverses. So let h G K with, say, 9{z) = h and Hz H . Recall there is a 
G X* such that 9{z~) = h~^ and hence 9{zz~) = 1. Thus zz~ 1 and 

Hz~ Hzz~ H 

and so Hz~ H with 9{z~) = h~^ as required. 

We define P^ = Pq + Pq^ which, by lemma 10, is also a CRS. The final part 
of the lemma follows from lemma 10. Given that a coset presentation defines an 
initial CRS, we now prove that Knuth-Bendix completion of a CRS produces a 
CRS. We do this in two stages to ensure that we get a complete rewriting system 
to decide the equality defining the group G. 

Lemma 13. LetR= {Rg,Rh) be a CRS for a coset presentation P = {X,S,Y). 
If Rg is the Knuth-Bendix completion of Rg then (Rq,Rh) is a CRS for P. 

Proof. Knuth-Bendix completion doesn’t alter the strength of the associated 
congruence. Thus ^r^ is the same as ^r^. The second property trivially holds, 
while the third property follows for the same reason as the first. 



Knuth-Bendix completion of a CRS also involves an analysis for Rg — Rh 
critical pairs and Rp — Rh critical pairs and consequently adding new Rp- 
rewrites to the CRS. The iterative step of this part of the completion considers 
spans Hw -G-*p Hu and Hw -G-*p Hv where Hu and Hv are -G-r normal forms 
and adds a rewrite Hu -^Ru Hv or Hv ~^Rh Hu depending on which term is 
larger in the termination order. 

Lemma 14. Knuth-Bendix completion of a CRS results in a CRS. 

Proof. We have already dealt with the analysis of Rg~Rg critical pairs. Assume 
we have a CRS and a critical pair Hw -G-*p Hu and Hw -G-*p Hv which 
cannot be completed. We then introduce a new i?//-rewrite Hu — >■ Hv or vice 
versa depending upon the termination order. Clearly the first and third condition 
of a CRS holds after the addition of this rewrite. For the second condition, note 
that Hu and Hv belong to the same equivalence class. From lemma 11, we 
conclude that tp{Hu) = ip{Hv). Since H9{u) = tp{Hu) and H9{v) = tp{Hv), the 
second condition is also preserved by the addition of this new rewriting rule. 
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We now have our first key theorem, namely that if the Knuth-Bendix proce- 
dure terminates, coset equivalence is decidable. 

Theorem 15. Assume the Knuth-Bendix procedure terminates. Then given two 
elements g,g' G G, it is decidable if Hg = Hg' . 

Proof. Let R be the CRS resulting from Knuth-Bendix completion in lemma 14 
of the initial CRS arising from the coset presentation as described in lemma 12. 
Further, let 0{xg) = g and 0{xgi) = g' . Then Hg = Hg' iff Hxg Hxg> and 
this later condition can be decided by reducing to normal form. 

4 Logged Coset Rewriting System 

The second step in our algorithm is to label the rewrites of a CRS which provides 
proof terms or witnesses for the coset membership problem. By equating those 
labels which arise from critical pair completion we get our presentation for the 
subgroup of a coset presentation. 

A logged coset rewriting system is simply a rewriting system with proof terms 
attached to indicate why a term rewrites to another. This is similar in nature to 
what happens in rewriting logic [10] and can be traced back to Levy’s permutation 
equivalence [9]. In a different context, the same idea also arises in 2-categorical 
and sesqui-categorical models of rewriting [12,13]. Although we use the formal 
language of sesqui-categories because they provide the most concise language 
to express our constructions, they do not hide any difficult mathematics and 
are simply an efficient organisational device. Readers not familiar with sesqui- 
categories should therefore still be able to follow the argument. 

Firstly we give the labels for rewrites. A one-step rewrite will be labelled by 
the rewrite used and the context within which it is used. For a CRS (Rg,Rh), 
this context is a pair of words if the rule comes from Rq and simply a word 
if the rule is in R^. A rewrite sequence will be labelled by a sequence of such 
one-step labels making sure that the sources and targets match for the sake of 
well-formedness . 

Definition 16 (Theory of a CRS). Given a CRS R = {Rg, Rh) for a coset 
presentation P = (X,S,Y), the theory of R, written Sr, consists of all elements 
of the following form: uipiVi . . . u„p„Vn where 

— Each Pi G Rg or pi G Rh. 

— If Pi G Rg, then Ui G HX* and Vi G X* . 

— If Pi G Rh, then Ui = 1 and Vi G X*. 

— Sources /targets of adjacent rewrites match: Uitgt{pi)vi = Mj+isrc(pi+i)ui+i 

An abstract definition of Sr is as the free sesqui-category on the following 
graph: 




with 2-cells consisting of the rewriting rules of -Gr. That Sr is a sesqui-category 
is just a quick way of saying that rewrite sequences with adjacent sources and 
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targets can be composed in an associative manner with a unit, and that rewrites 
can be composed on the left and right by words, ie rewrites can be placed in 
context. The arrow H reflects the fact that Rh rewritings can only be composed 
on the right. Sr is not a 2-category as the permutation law of Levy equivalence 
or, equivalently, the interchange laws of a 2-category [13] do not hold. 

These labels contain too much information for obtaining a presentation of the 
subgroup of a coset presentation. For example when we perform Knuth-Bendix 
completion we don’t want to add new labels for the rewriting rules added by the 
completion process. Rather we want to use the span which led to the addition 
of a new rewriting rule as its label. We describe the quotienting of this extra 
information by a sesqui-functor and call this a logged coset rewriting system. 

Definition 17 (Logged Coset Rewriting System). Given a coset presen- 
tation P = (X,S,Y), a logged coset rewriting system (LCRS) consists of a CRS 
R and a sesqui-functor F : Sr — > Sp= which is the identity on 0- and 1-cells. 

The fact that F is an identity on 0-cells and 1-cells means all F does is 
to associate each label from a CRS R with a label from the CRS which 
recall is the symmetric closure of the initial CRS Pq. We call the functor F, the 
log functor of the LCRS. Of course, the initial CRS Pq is a logged CRS with 
the obvious inclusion functor F : Sp^ — > Sp=. As implied above, Knuth-Bendix 
completion not only maps CRSs to CRSs, but also LCRSs to LCRSs by replacing 
the label of each new rewriting rule by the span which it completed. 

Lemma 18. Let L = (R,F) be a LCRS. If R'^ is the Knuth-Bendix completion 
of R, then there is a canonical LCRS 

Proof Assume at stage n, we have a CRS and log functor : Sr^ — >■ Sp= . 
Given a span ai,a 2 : Hw Hwi,Hw 2 with Hwi and Hw 2 in i?„-normal 

form, not only do we form the new CRS by adding a rule, say, Hw\ ^ Hw 2 to 
obtain the CRS but we also freely generate a log functor : Sr^^^ — >■ 

Sp= by setting the log of the rewrite Hw\ — >■ Hw 2 to be (F„ai)“^F„a 2 - 



So the log functor translates the rewrites of a Knuth-Bendix completed CRS 
into rewrites and their inverses from the initial CRS. The examples of Section 
5 show how the logs for specific completed LCRSs are calculated. However, 
there is more information we wish to delete. For example all the rewrites in Rq 
describe the construction of the group G from words but tell us nothing about 
the subgroup H. Thus for the purposes of obtaining a presentation of H they 
have no computational content and hence we want to ignore them. To do this we 
wish to set their logs to 1. We also wish to throw away the context from a Pp 
rewrite and simply record the particular rules from Pp which were used. Thus 
we define a map |.] : Sp= ► {Y -\- F)* as follows: 

laic] = y if there is a, y GY -\-Y such that a = {Hy, H) G Pp 

= y~ if there is a y GY -\-Y such that a~^ = {H, Hy) G Pfj^ 

la-iw] = 1 a a GPg + {Pg)~^ 
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We get a map |.] : Sp= — >■ (F + F)* by applying |.] as defined above to each 
logged rewrite in a rewrite sequence. Putting these maps together, for every 
LCRS {R, F), we have the following chain: 

Sr ^ Sp= ^ (F + F)* ^ . H (1) 

A category theorist will notice that we are abusing notation here in that F is 
a sesqui- functor, while |.] is mapping the 2-cells/logged rewrites of Sp= to a 
monoid and 0 is a monoid homomorphism. Nevertheless, equation 1 shows how 
rewrites in a LCRS are converted into words in (F -|- F)*. 

A crucial part of our algorithm is that elements of the generating set (F -l-F)*, 
while usually regarded as either atomic symbols or words in X*, can also be 
regarded as rewrites in Pq and thus equality on such words can be axiomatised 
via equality of rewrites generated from Knuth-Bendix completion. This is shown 
by the following simple lemma: 

Lemma 19. Let w € {Y + Y)* be a word. Then there is a rewrite sequence 
r^u : Flw ~^p^ F[ . Furthermore, |ri„] = w. 

Proof. Define by induction. If w = 1, set r„, to be the identity rewrite F[ 
il. If w is of the form yw' where y G Y + Y , then we have a Pf/-rewrite ay : 
Fly ► H and r^j can be defined as follows: 

Hyw' ^ Hw' H 
The second half of the lemma is a trivial calculation. 



By lemma 8, we know that H is the quotient of (F -l-F)* by Since critical 
pair completion results in parallel pairs, proving that the equality derived from 
critical pair completion is contained in is essentially the following lemma. 

Lemma 20. If P : Hw — >■* Hz in the LCRS P^ , then w \P\z. Thus if 
P,P' : Hw — >■* Hz, then |/?] |/?']. 

Proof. The first part of the lemma is clearly true if /3 is a one-step rewrite since 
i) if P is of the form urv for r G Pq, then |/3] = 1 and w z] ii) if P is of 
the form rv for r = {Hy, H) for y G Y, then w = yv, |/3] = y and z = v; and 
iii) a similar argument holds when P is of the form rv for r = (H,Hy) G Pfj^ . 
The result holds for many-step rewrites since the action of |.] on a sequence of 
rewrites is just the composition of the action of |.] on each one-step rewrite. 

For the second part of the lemma, we have \P\z w \P'\z. The result 
follows from cancellation of z using a word z“ G X* such that 0{z~) = 

M lPjzz~ lP'jzz~ ^g l/3'l 

We now give a presentation of the subgroup generated from a coset presen- 
tation. 




462 Neil Ghani and Anne Heyworth 



Definition 21. Let L'^ = {R‘^,F'^) be the LCRS arising from Knuth-Bendix 
eompletion of the initial LCRS. For each critical pair in Rt^ , ai ,02 : Hw — >■ 
Ftwi, Hw 2 , there are completions f3i,P2 ■ Hwi,Hw 2 — >■ Hw' . Define C as fol- 
lows: 

C = a2.(32) \ oi, 02 is such a critical pair } 

and the equations Rl by: 

i?L = {(lF^ 7 MJ^Vl) I (7,7') GC} 

All that is left to do is prove that this really is a presentation for the subgroup 
H . Lemma 20 is the key to proving that critical pair equality is contained in 
so not surprisingly the reverse inclusion depends upon what looks like a partial 
converse to lemma 20. 

Lemma 22. Let {R", F") be a complete logged rewriting system and assume 
there are rewrites r\ : Hw\ — l-Jjc H and r 2 '■ Hw 2 H where wi W 2 - 
Then iFVi] IFV 2 I. 

Proof. We first prove the lemma when w\ = W 2 using a simple tiling argument 
by induction on the rank of w. If either rewrite has length 0, then so does the 
other (because of termination) and so the result is trivial. Otherwise we have 
the following situation: 




where the first rewrite of r\ and the first rewrite of r 2 have been completed via a 
critical pair in cell (1), while cells (2) and (3) are formed because the completion 
of this critical pair must rewrite to H . After applying |A°_] to the rewrites in this 
diagram, cell (1) commutes up to since it is formed by a critical pair, while 
cells (2) and (3) commute up to by induction. Thus |A°ri] |F‘^r 2 j. 
For the general case, wi and W 2 have a common Rq reduct and the lemma then 
follows from the argument above and the observation that for any i?g-rewrite 
sequence r, |A'^r] = 1. 



Finally, we prove our main theorem: 

Theorem 23. Assume P = (A, S, Y) is a coset presentation for a subgroup 
H of G which generates a complete logged rewriting system L" = {R", F") as 
described above. Then {Y + Y, Rjf) is a monoid presentation for H. 




A Rewriting Alternative to Reidemeister-Schreier 



463 



Proof. By lemma 8, we know that H = {Y + Y)* / so the result follows by 
proving that the congruences and are equal. 

In one direction, consider a critical pair ai,a2 with completions /3i,/32- Now 
(o;i./3i,a2-/32) is a parallel pair and hence by lemma 20 |F‘^(ai./ 3 i)] \F‘^{pi2.P-2f\- 

In the reverse direction, let h k. By lemma 19 , there are logged rewrites in 
Pq of the form : Hh ^ H and ■. Hk ^ H . Since Pq is a CRS, we also have 
that Hh Hk. By lemma 22 , |r/j] ^r^ |rfc]. Since |r?i] = h and |rfc] = k 
h ^Rl k and hence is contained in ^r^. 



5 Ss and an Example with Infinite Cosets 



We illustrate our algorithm with our running example of S'3 and another example 
showing the applicability of our algorithm to a situation where one has an infinite 
number of cosets. We have kept the examples simple so the reader can follow 
the examples without too many exhaustive Knuth-Bendix calculations. 

Example 1: For S'3, we use the following coset presentation P = {X, S, Y): 

X = {a, b} S = {{aaa, 1 ), (bb, 1 ), {abab, 1 )} Y = {a} 

The subgroup generated by a is {l,a,aa} which has as presentation 
mon{ a \ (aaa,l) ). Our algorithm attempts to build a presentation based 
upon 2 generators a and a~ . Since 9{aa) = 6{a)~^, the initial CRS Pq = (Pg, Pr) 
is: 

Pg = {{aaa, 1 ), (66, 1 ), {abab, 1 )} Pr = {{Ha, H), {Pfaa, H)} 

To complete Pq, add rules {(6o6, a^), (6a^, o6), (a^6, 6a), (o6a, 6)},. To complete 
the CRS Pq add the rule (Hba,Hb) since we have the span Vaba : Haba — >■ Hba 
and Haba Hb. As described in the proof of lemma 18 , the application of 
|P°_] to any rewrite built from this new rewriting rule will be a~ . The equations 
of the presentation then come from analysis of the critical pairs. Two of these 
are given below where we have already applied |P°-] to the rewrites. 



Hbab 




Hb^ 



Ha^ 



1 

H 



a 



i‘ 

Ha 



Hbaba 




The first diagram above comes from resolving the critical pair that occurs on 
Hbab when the rules Hba — >■ Hb and bab — >■ are applied. This gives us 

the relation aa = a~ . The second diagram shows the resolution of the pair 
Hba — >■ Hb and aba — >■ 6 on Hbaba, which gives us the relation a~a = 1 . 
Combining these we get aaa = 1 . Analysis of other critical pairs gives no new 
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equations and since a is definable from a we can delete this generator. Thus 
the subgroup generated by this coset presentation is the cyclic group of order 3 . 

Example 2 : This example shows how the rewriting methods we describe can be 
applied to the problem of finding a presentation of a subgroup when the group, 
subgroup and the number of cosets are infinite. 

Let G be the group generated by four elements {a, b, c, d} of which the first 
pair a and b, commute with each other and the second pair c and d, also com- 
mute with each other. Let H be the subgroup generated by the four elements 
{ac,ca,bd,db}. The initial coset rewrite system then includes the rewrite rules 
for the group: 

{ {aa-, 1), (a"a, 1), (66", 1), (6"6, 1), (cc", 1), (c"c, 1), {dd~ , 1), {d~d, 1), 

(6a, ab), (ba~ ,a~b), {b~a, ab~), {b~a~ , a~b~), 

{dc, cd), (dc~ , c~d), (d~c, cd~), {d~ c~ , c~d~)} 

This system is in fact complete. The rules of this type do not give us information 
about the subgroup, so we assign to each of them the identity label. The four 
generators of the subgroup give us four initial H-rules: 

{{Hac, H), {Hca, H), {Hbd, H), {Hdd, H)}, 

which we label oi, . . . , 04 respectively. These are the generators for our presen- 
tation of the group H. Their inverses, . . . , 0:4 ^ are the following rules: 

{ {He- a-,H),{Ha~c-,H), {Hd~ b~ , H), {Hb~ d~ , H)}. 

Logged completion uses the shortlex order with a < a~ < b < b~ < ■ ■ ■ < d~ < 

H, identifies critical pairs and resolves them, adding new logged rules to the 
system. For example, Ha~c- — >■ iL by overlaps with c"c — >■ 1 by 1 . The 
resolution of this is as follows: Ha~ c~ c ^ Hc~ by using a rule labelled by 
and Ha~ c~ c ^ Ha~ by using a rule labelled by 1 . This gives us the new rule 
He ^ Ha~ by «2- 

Similarly, Hbd ^ H hy overlaps with dc — >■ cd by 1 . The resolution of 
this is as follows: Hbde —>■ idc by using a rule labelled by and He ^ Ha~ by 
using a rule labelled by 02 while Hbde — >■ Hbcd by using a rule labelled by 1 . 
This gives us the new rule Hbed — >■ Ha~ by a30;2- 

As a final example, the rule obtained above Hbed — >■ id by 030?^^ overlaps 
with dd" — >■ 1 by 1 . The resolution of this is as follows: Hbedd~ — >■ Ha~d- by 
using a rule labelled by 0302 and Hbedd~ — >■ Hbc by using a rule labelled by 

I . This gives us the new rule Hbe — >■ Ha~ d~ by a30;2- We can now remove the 
previous rule Hbed Ha~ from the system, as this is implied by the new rule, 
together with dd" — >■ 1. 

After a few passes of the logged Knuth-Bendix algorithm we have the same 
group rules and the following id-rules: 

{ (idac, id) , (ida" c" , id) , (id6d, id) , (id6"d" , id) , (idc" , Ha ) , (idc, ida" ) , (idd" , Hb ) , 
(idd, Hb~), {Hbe, Ha~d-), {Hbe~ ,Had~), {Hb~e, Ha~d), {Hb-e~ , Had) } 
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with various labels. Now we seek the relations for the subgroup, by looking at 
the critical pairs of the completed system and noting the labelled rules which 
are used in resolving them. For example, Hac ^ H overlaps with cc~ — >■ 1. The 
resolution of this is as follows: Hacc~ — >■ Hc~ by using the rule labelled by 
and Hc~ ^ Ha hy using the rule labelled by and Hacc~ Ha hy using a 
rule labelled by 1. This gives us the relation aia^^ = 1. If we continue, checking 
all critical pairs, we find that every critical pair yields a trivial relation. Thus, 
H can be proven to be the free group on four generators. 

6 Conclusion 

We have presented an algorithm based upon rewriting for calculating a presen- 
tation for a subgroup of a finitely presentable group. Within this framework, 
the number of relations is computed via the critical pairs of a certain rewrit- 
ing system. This makes it applicable to situations where the group, subgroup 
and the number of cosets are infinite. These examples cannot be tackled by the 
traditional Reidemeister-Schreier algorithm which has at its core an enumera- 
tion of the elements of the group. The key theoretical idea underpinning our 
algorithm is that the Knuth-Bendix completion procedure can give us not only 
a complete rewriting system, but also the nature of these completions contain 
valuable information. 

We are currently thinking of taking this research in two directions. Firstly 
we wish to see our algorithm implemented and distributed so that it can be used 
by group theorists. A prototype has already been written for the GAP system 
and we are currently discussing with the GAP group ways to optimise it so as 
to improve its efficiency, etc. A couple of referees did comment on the practical 
viability of our algorithm. The general consensus [5] seems to be a practical one, 
namely that in any given situation we want to have as many methods available 
to try and the best solution may well be a mixture of several approaches. 

In a more theoretical direction, there are a number of other algebraic struc- 
tures, eg rings, modules, algebras, where the same problem of obtaining presen- 
tations for substructures arise and we are developing analogues of the algorithm 
presented in this paper to tackle these questions. 
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Abstract. We study orderings <5 on reductions in the style of Levy 
reflecting the growth of information w.r.t. (super)stable sets S of ‘val- 
ues’ (such as head-normal forms or Bohm-trees). We show that sets of 
co-initial reductions ordered by <5 form finitary tu-algebraic complete 
lattices, and hence form computation and Scott domains. As a conse- 
quence, we obtain a relativized version of the computational semantics 
proposed by Boudol for term rewriting systems. Furthermore, we give a 
pure domain-theoretic characterization of the orderings <5 in the spirit 
of Kahn and Plotkin’s concrete domains. These constructions are carried 
out in the framework of Stable Deterministic Residual Structures, which 
are abstract reduction systems with an axiomatized residual relations on 
redexes, that model all orthogonal (or conflict-free) reduction systems as 
well as many other interesting computation structures. 



1 Introduction 

The idea of representing or identifying a process (or a program, or a term) 
with the domain of all its computations is not new in semantics: it is central to 
the study of event structure semantics of programming languages developed by 
Winskel, Nielsen and Plotkin [Win80,NPW81,Win89]. Berry and Levy [BL79] 
were the first to base algebraic semantics [NR85] of recursive programs on 
an ordering on the set of computations rather than on the set of terms; they 
used Levy’s [Lev78,Lev80] embedding relation on reductions, and Levy- or 
permutation- equivalence on reductions which is the largest symmetric rela- 
tion contained in Permutation-equivalent reductions result from one another 
by permuting concurrent consecutive steps, hence the name. Developing these 
ideas further, Boudol [Bou85] proposed a computational approach to semantics 
of term rewriting systems [Ter03] in general. Boudol’s idea was to define the 
semantics of a term t in a term rewriting system {S,R) (where S is an alpha- 
bet and i? is a set of rewrite rules) via the set of «L-classes of all <i-maximal 
computations starting from t. In the case of deterministic (or conflict-free or 
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orthogonal) TRSs, a term has exactly one <x,-maximal computation (up to «l), 
which corresponds to a fair computation [Ter03] . To support his computational 
approach to semantics, Boudol defined interpretations of TRSs in the usual alge- 
braic style (i.e., the class of interpretations coincides with the class of T'-algebras) 
and showed that the computational semantics coincides with the algebraic one. 

However, Boudol [Bou85] remarked that, besides being a cpo, seems to 
have generally no ‘good’ properties (even for deterministic TRSs)” . To clarify the 
problem, we observe that, according to Kahn and Plotkin [KP93], a ‘good’ do- 
main into which to interpret programs must be at least coherent and oj- algebraic, 
they call such domains computation domains. According to Scott [Sco82], ‘good’ 
domains are consistently complete w-algebraic epos, now termed Scott domains. 
To quote Plotkin, ‘Algebraicity is an important idea which formalizes some intu- 
itive ideas of finiteness and objects as limits of their finite approximations. Alge- 
braicity allows definitions of computability to provide links with recursion func- 
tion theory and allow results on definability. It allows easy consideration of con- 
structions as powerdomains and enables us to visualize domains as completions 
of structures of finite information’ [Plo83]. Further, Kahn and Plotkin [KP93], 
Girard [Gir87], Winskel [Win89], and many others argue that it is reasonable 
to require ‘good’ domains to be finitary, because in this way finite elements are 
‘really’ finite, i.e., represent only a finite amount of information (built up from 
a finite number of components), and thus cannot be decomposed infinitely. But 

is not finitary, and the ^L-glb of two finite elements needs not be finite. 
To recover ‘good’ properties of the reduction space, Boudol [Bou85] studied the 
sub-space of all strongly needed reductions [HL91] and proved that a reduction 
space thus restricted is finitary and w-algebraic, and conjectured that it corre- 
sponds to the domain of configurations of an event structure and moreover forms 
a concrete domain [KP93]. 

There have been other similar proposals to construct domains with rich al- 
gebraic properties out of the reduction space of a reduction system. For ex- 
ample, in order to construct an event structure semantics for orthogonal (term 
graph) rewriting systems with non-duplicating residual relation, Kennaway et 
al. [KKSV93] restrict themselves to needed reductions of normalizable terms; 
the resulting domain is finitary and distributive (or equivalently, prime alge- 
braic). Finitary distributive domains (also called dl -domains or stable domains) 
are exactly domains of configurations/states (ordered by the subset relation) 
generated by stable event structures [Win80,NPW81,Win89], and are commonly 
accepted domains to model concurrency. 

Thus in all these cases, a linear subspace of reductions is identified on which 

forms c?/-domains. This works because event structures are equivalent to 
linear reduction systems (where there is no erasure or duplication of redexes) : in 
linear systems, corresponds to the subset ordering on states of an event struc- 
ture, all permutation-equivalent reductions correspond to the same state, prime 
intervals of the event structure represent reduction steps [Win89] , and events can 
be seen as equivalence-classes of prime-intervals [Win89], which are nothing but 
zig-zag-classes [Lev78,Lev80] of the corresponding reduction steps [Gur86]. This 
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correspondence is further extended in [KG02] (for the case of stable conflict- 
free systems), where prime event structures (which are equivalent to stable 
ones [Win89]), with an axiomatized erasure relation, are defined. These are to 
non-duplicating reduction systems what event structures are to linear ones. 

In order to achieve a stable event structure semantics, or equivalently, to 
construct a dJ-domain out of a reduction space, rather than restricting the re- 
duction space, one could weaken permutation-equivalence into an equivalence 
relation whose equivalence classes would correspond to the same state of a sta- 
ble event structure. This observation led Laneve [Lan94] to introduce distributive 
permutation equivalence in the A-calculus which only equates reductions result- 
ing one from another by permutation of steps that cannot erase or duplicate one 
another. The distributive equivalence coincides with permutation-equivalence 
on needed reductions in non-duplicating orthogonal rewriting systems, but is 
strictly weaker in the case of even A/-calculus, where there is no erasure of re- 
dexes. Similarly, Corradini et al [CGM95] based their construction on an equiv- 
alence relation generated by permutations of disjoint redexes only, in a general 
categorical model of rewriting. 

In this paper we propose a general method to construct finitary computation 
domains from computation spaces based on new orderings which, unlike Levy’s 
permutation embedding and Laneve’s distributive embedding, we believe truly 
express the growth of information along computations, in the spirit of Scott’s idea 
of Information Systems [Sco82] which underlies the whole theory of semantics of 
programming languages. We thereby further extend Boudol’s computational ap- 
proach to semantics, and develop a ‘relativized’ version for calculi where redexes 
can be duplicated and erased. We restrict ourselves to the conflict-free case, but 
hope our constructions can be generalized based on [Bou85,Mel96]. 

To fully understand the problem, let us examine once again Levy’s hugely 
successful idea of dess work and of Hhe same work For co-initial finite 
reductions P,Q in an orthogonal rewrite system (e.g. the A-calculus), P is less 
than Q, written P Q, if what remains of P after Q, the residual P/Q oi P 
after Q, is empty. And P and Q do the same work, P Q, if P Q and 
Q P- The ‘real life’ counterparts of an ordering relation, such as ‘greater’, 
‘older’, ‘stronger’, refers to, or is relative with respect to, a particular aspects of 
the object/subject one is interested in. But Levy’s ordering lacks that relativity 
property: Suppose we are interested in computing the normal forms of a A-term 
t = Kx{IIx), where K = Xx.Xy.x and I = Xx.x. Let P : t-^Kx(Ix) and 
Q : t-^Kx{Ix)-^Kxx. Glearly P <\l Q- But both P and Q are unneeded, and 
neither makes progress towards computation of the normal form obtainable from 
t in one AT-step t^x. In this circumstances, does it really make sense to say that 
‘Q is greater (i.e., does more work) than P’7 

To correct this situation, we introduced in [GK02] orderings <5 on reduc- 
tions relative to particular sets S of finite or infinite values one may be interested 
in, such as normal forms, head-normal forms, weak head-normal forms, Bohm- 
trees [Bar84], Levy-Longo-trees [Lev76,Lon83], or Berarducci- trees [Ber96], in 
the A-calculus, or root-stable forms [Mid97] in orthogonal TRSs. Such values 
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are expressed via (super) stable sets of reductions in Stable Deterministic Resid- 
ual Structures (SDRSs) [GK96]. SDRSs are Abstract Reduction Systems [Ter03] 
with an axiomatized residual relation on redexes, enabling one to define permuta- 
tion equivalence on reductions. SDRSs cover all conflict-free term and (sharing-) 
graph/net rewrite systems, and many other interesting computational struc- 
tures, and we abstract from inessential syntactic structure of the objects. In 
SDRSs one can give abstract proofs of the normalization and minimality the- 
orems [GK96,GK02], relative to (super)stable sets of reductions. Recall from 
[Win89] that families of configurations in stable event structures whose enabling 
relation have a similar ‘minimality’ property generate dJ-domains. The concept 
of stability of an event structure can be expressed in terms of our concept of sta- 
ble reduction (configuration) sets: it is trivial to check that an event structure 
is stable [Win89] iff for any event e, the set of all configurations containing e is 
stable (in our sense). 

Here we show that the orderings < 5 , which we name (temporarily) reduction 
orderings, form finitary w-algebraic complete lattices on ^^-equivalence classes 
of co-initial reductions (where ~s= ^5 l~l ^ 5 ). An ordering <5 need not be dis- 
tributive in general, since for example if we take for S the set of all normalizing 
reductions in the A/-calculus, then <5 coincides with and Laneve [Lan94] has 
demonstrated that is not distributive (even) for the case of A/-calculus. How- 
ever, any <5 contains a substructure which is a d/-domain. This substructure 
corresponds to 5-needed complete-family reductions [Lev78,Lev80]. (The sub- 
space of complete-family reductions generates a non-duplicating computation 
space as families do not duplicate one another; as we have already mentioned, 
non-duplicating reduction systems are equivalent to event structures with era- 
sure, and the gib operation can simply be expressed via ordinary set-theoretic 
intersection on 5-needed events/families [KG02].) Thus the reduction orderings 
can be seen as a refinement of dJ-domains which reflect computations more 
closely: they directly reflect duplication of redexes which d/-domains cannot, 
and this is the reason for the loss of the distributivity property. 

Furthermore, we show that reduction orderings can be generated by the per- 
mutation ordering on non-erasing conflict-free reduction systems that are 
free from (syntactic) accidents (i.e., co-initial reductions that end at the same 
term are permutation-equivalent). The name reduction ordering was chosen be- 
cause in such systems, coincides with the reduction relation , which en- 
ables us to give an equivalent domain-theoretic definition of reduction orderings. 
This result is an analog of the well known representation theorems for concrete 
domains [KP93], d/-domains [Win89] and Scott-domains [Sco82,LW93], and the 
key idea is to equip partial orders with a well-behaved residual information. 

The following example demonstrates the differences between the domain con- 
structions for duplicating systems discussed above. 

Example 1.1 Gonsider the A/-term t = (Xx.xx){Iz), where / = Xx.x, used by 
Laneve [Lan94] to demonstrate that Levy-equivalence need not generate a dl- 
domain from the reduction space of a A-term. Figure 1 displays the Hasse dia- 
grams corresponding to the reduction ordering (w.r.t. normal forms), to Laneve’s 
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distributive permutation ordering, to Khasidashvili and Glauert’s event order- 
ing [KG02], and Boudol and Mellies’ external ordering [Bou85,Mel97]. Glearly, 
the reduction ordering describes the computation space of t most closely (the 
corresponding Basse diagram coincides with the reduction graph of t) . The dis- 
tributive permutation ordering is not even a lattice (despite the fact that the 
A-calculus is conflict-free), but the downward closure of any element is a dis- 
tributive lattice. The external ordering (roughly) corresponds to call-by-name 
computation and cannot adequately account for either call-by-value computa- 
tion from t or for all needed ones (note that call-by-value computation from t to 
normal form is shorter than the two external computations to normal form, hence 
is computationally interesting). The event ordering cannot adequately account 
for call- by-need computation; it accounts well for call- by- value and needed com- 
plete family computations from t, but this need not be true for all terms since 
complete family-reductions fail in general to compute minimal normal forms 
(see [GKK00,GK02] ). None of these orderings can account for unneeded steps, 
but such steps do not make any progress towards the normal form. 




Fig. 1. The orderings 



In the next section, we recall some relevant concepts briefly. Section 3 con- 
tains the construction of finitary w-algebraic complete lattices based on reduction 
orderings. In Section 4 we give a domain-theoretic definition of reduction order- 
ings. Gonclusions appear in Section 5. Missing definitions and proofs can be 
found in [KG03], as well as in our earlier work [GK96,GK02]. 

2 Preliminaries 

Notation 2.1 We write u G t if u is a member of the redexes of term t, and 
write U C t if U is a subset of the redexes. One can identify u with the triple 
t^s (the reduction that contracts u). Similarly, U may also denote a complete 
development of the set U . A reduction is a sequence t^t 2 ^ .... Reductions are 

p 

denoted by P, Q, N. We write P : t — »■ s or t — »■ s if P denotes a reduction 
from t to s. Q : t may be finite as well as infinite. P Q denotes the 
concatenation of P and Q. Further, for any reduction Q, \Q\^ will denote the 
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initial part of Q of length k, provided k < |Q| (the length of Q), and \Q~\k will 
denote the tail of Q starting from the {k + l)th step; thus Q = \Q]^ + \Q\k- 
Finally, we write P < Q if P is an initial part of Q. 

Definition 2.2 Let 5 be a set of reductions in a DRS. 

(1) Let u £ U Ct and P : t ^ . We call P external to U (resp. u) if P does 
not contract residuals of redexes in U (resp. residuals of u). 

(2) We call u £ t S -unneeded if there is a reduction Q £ S starting from 
t that is external to u, and call it S -needed otherwise. We say a reduction P 
is 5-needed if all its steps contract 5-needed redexes. The S -needed part of P, 
[P] 5 , is a finite or infinite reduction defined by: [P]^ = u + [P/u]s, where u £ t 
is the redex whose residual is contracted first among 5-needed steps in P. 

(3) Let P, Q be co-initial reductions. If P and Q are both finite, then we define 
P ^5 Q if P/Q is 5-unneeded. Otherwise, P <5 Q if for any finite P' < P there 
is a finite Q' < Q such that P' <5 Q' . Further, P Q iS P <s Q and Q <5 P. 
We call <5 and respectively S-embedding and S- equivalence. {P)s denotes 
the ^^-equivalence class of P (we will show below that is an equivalence 
relation). We write {P)s ^5 {Q)s if P ^5 <5- 

It is immediate from the definition that O < 5 . 

Definition 2.3 Let 5 be a set of reductions in a DRS. 

(1) We call S stable iff: 

[CS] S is suffix- closed: if P' ^ S, then P' -\- P" £ S implies P" G S. 

[CE] S is closed under S-embedding: P £ S and P <5 Q implies Q £ S. 

[CN] S is closed under neededness: every non-empty P £ S contracts at least 
one iS-needed redex. 

(2) We call S regular iff: 

[Reg] In no term can an 5-unneeded redex duplicate an 5-needed one. 

(3) We call S superstable iff: 

[Min] For any 5-normalizable term t, S contains a unique, up to <l- 
minimal element starting from t. Such reductions are called iS-minimal. 

We call a (regular, super) stable set of reductions in a DRS TZ a (regular, super) 
stable semantics of TZ. Below S will denote a stable (regular or superstable) se- 
mantics of a DRS. 

The following lemma is required from earlier work: 

Lemma 2.4 ([GK02]) Let 5 be a stable semantics of an SDRS, and let P : 
t^s -¥>■ £ S. Further: 

(1) Let v' be a u-residual of v £ t, and let v be 5-unneeded. Then so is v'. 

(2) Let u create v £ s, and let u be 5-unneeded. Then so is v. 

(3) Let S be regular, lei u ^ v £ t, and let v be 5-needed. Then v has at 
least one 5-needed residual in s. 

(4) Let S be regular. Then [P]g is an 5-needed reduction whose length co- 
incides with the number of 5-needed steps in P, and P [P]s- 
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3 Properties of Reduction Orderings 

This section contains the construction of w-algebraic finitary complete lattices 
from the reduction spaces of SDRSs. 

First of all, we show that <5 is a partial order, which requires the following 
characterization of <5 via 

Lemma 3.1 Let P and Q be finite co-initial reductions in an SDRS TZ with 
regular stable semantics S. Then P<sQ iff P<lQ+Q' for some 5-unneeded Q' . 

Lemma 3.2 Let P, Q and N be co-initial reductions in an SDRS TZ with regular 
stable semantics S, and let P <5 Q <5 N. Then P <s N. 

Corollary 3.3 Let 5 be a regular stable semantics of an SDRS TZ. Then is 
an equivalence relation, and consequently £-^{TZ) = {£~^{TZ), <5) is a partial 
order, where £~^{TZ) = £{TZ)/~^ and £{TZ) is a set of co-initial reductions in TZ. 

Recall the definition of the <L-meet operation from [GK02]. Let be a set 
of reductions starting from t, in a DRS. Then the ^L~meet of reductions in 
(p, written r\L<P, is defined as follows: Let U C t he the maximal subset such 
that U <L and let t s be a complete development of U (or the multi-step 
contracting U). Then = U + rii(^/f7). 

Note that Pn l Q need not be a <5-glb of P and Q even in a DRS correspond- 
ing to a Recursive Program Scheme: Let R = {g{x) — >■ h{x,E{x)), E{x) — >■ a}, 
let t = g{g{g{x))), let P : t -)> h{g{g{x)),E{g{g{x)))) -)> h{g{h{x, E{x))), 
E{g{g{x)))), and let Q : t -)> g{h{g{x), E{g{x)))) -)> g{h{h{x,E{x)),E{g{x)))). 
Then t contains three redexes: u, v and w, listed in the top-down order, and none 
of them are erased in both P and Q, thus P fli Q = 0, while w <5 P, Q for the 
set S of all normalizing reductions. This suggests the following definition: 

Definition 3.4 Let 5 be a stable semantics of an SDRS TZ, and let ^ be a set 
of reductions in TZ starting from t. Then: 

(1) (iS-meet) S-meet of written r\s<P, is defined as follows: Let U C t he 
the maximal subset such that P <5 and let t -4^ s. Then = P-|-n5(^/P). 

(2) (iS-join) S-join of reductions in <P, written Lis<P, is defined as follows: 
Let P C t be the set of all redexes that are contracted in the first step of one of 
the reductions in <P>, and let t s. Then = V + Us{'P/V). 

(3) (P-join) We define 

We need the following two simple lemmas to prove that and U5 are indeed 
meet and join operations for <5. 

Lemma 3.5 Let P, Q be finite reductions in an SDRS with regular stable se- 
mantics S, let P Q, and let Q be 5-unneeded. Then so is P. 

Lemma 3.6 Let P <5 Q in an SDRS with a regular stable semantics S, and let 
N be finite and co-initial with P. Then P/N <5 Q/N. 
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Below we use <P to denote sets of co-initial reductions. Further, for example 
we write P <l ^ iff VQ P-, \^'\ ^ will denote the set of initial parts, of 

the length k, of reductions in <P\ etc. 

First note that if <P consists of two finite reductions P and Q, then PUQ 
P Ul Q, although P Li Q and P Ul Q are different as multi-step reductions. 
Further, since every term contains a finite number of redexes, a finite subset of 
<P is enough to generate any particular step in (even if (p contains an infinite 
number of reductions) . More precisely: 

Lemma 3.7 Let <P he a set of reductions in a DRS. Then for any k < |Ul<P|, 
there is a finite subset <P[k] C <P such that 

Lemma 3.8 Let <P he a set of co-initial reductions in a DRS. Then LiL<P is a 
(unique up to <i-lub of 

Proof It is immediate from the definition of Ul that <P<LLi l<P. Now let <P<lP 
and let us show L\i^<P<i^ P, i.e., that < 2 . \PY’‘ for any k and some I/-- By 

Lemma 3.7, \LiL<P~\’^ = ~l U|’^[A:]]^. Let Ik be such that 

\Py^ Then {UL\<Pm’')/lPV^ -L {U\<P[k]^'')/lPV^ -L U([<l>[fc]l V(PV'=) = 0, 
and we are done. 

Theorem 3.9 Let 5 be a regular stable semantics of an SDRS TZ, and let <P be 
a set of co-initial reductions in TZ. Then: 

(1) ris^P is a (unique up to ^ 5 -glb of >P. 

(2) Ligfp is a (unique up to < 5 -lub of <P. 

Proof (1) Let = Q ■ to t 2 — »■ .... It is immediate from Defini- 
tion 3.4 that Q <5 <P. Thus we need to show that for any P, P <5 <P => P <5 Q, 

that is, for any n < |P|, |"Pl" <5 Q. We show this by induction on n. The 

case n = 0 (i.e., P = 0) is clear. So let n = A: -I- 1, and let [P]* <5 Q. Then 
[P]^ <5 TQV'” foi' some Ik- We can assume that ends at tm for some 

TO. Now assume that the (fc -|- l)th step u of P has an 5-needed residual v' 
under [<5]*'“/|"P]^ (otherwise, there is nothing to prove). Since |"P]*/|"(5]*'‘ is 
5-unneeded, by Lemma 2.4. (2) there must be an 5-needed redex v" in the final 
term tm of \QY‘‘ such that v' is its (|"P]*/|"(5]*'“)-residual. Furthermore, v' is the 
only (|'P]''/|’(5]''=)-residual of v” by regularity of S, thus v” <5 P/|’Q]^'=. But 
P< 5 ^, hence P/[(5V'“ by Lemma 3.6. Thus, v” <stP /\Qy’‘ , and v” 

must be contracted in Um (by Definition 3.4). Hence v' / {Um/ {\P']^ /\Qy'")) = 0, 
and we are done. 

\PY V 

[PivrQV" ^ V 



to 



v" G U„ 



(2) By Definition 3.4. (2), (p LI^^, implying <P <5 Li^fp. Now let <P <5 P 
and let us show <5 P, i.e., that <5 |’P]*'= for any k and some 
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Ik- By Lemma 3.7, and <P <s P implies 

P- Let Ik be such that <5 Then (U 5 |’^[A:]]^)/|’P]*'“ 

(ur<l>[fc]]'=)/[P]''= U([iZ>[fc]lVrL’l'"). and U([<l>[fc]]Vr^’l''‘) is 5-unneeded 
by Lemma 2. 4.(1). Thus {Us\^[k]~\'^)/\Py’‘ is 5-unneeded by Lemma 3.5, i.e., 
<5 implying <s P- 

Corollary 3.10 Let 5 be a regular stable semantics of an SDRS 77.. Then 
(77) is a complete lattice with meet and join operations U 5 and fl^ defined 
by: Us{‘P)s = {^s‘^)s and r\s{<P)s = {r\s^)s- 

Now we can soundly define the relativized stable computational semantics for 
an SDRS 77 as follows: Let 5 be a regular stable semantics of 77, and let t be an 
5-normalizable term in 77. Then the value of t in 77 w.r.t. S is the < 5 -maximal 
^^-equivalence class of reductions starting from t, in £-■^(77). Thus for example 
in the case of Bohm-semantics, the Bohm-tree BT{t) of t is represented by the 
set of all reductions computing BT{t), which form the < 5 g-maximal « 5 g-class 
of reductions starting from t (where Sb is the set of all reductions computing 
Bohm-trees, see [GK02] for details). 

Lemma 3.11 Let 5 be a regular stable semantics of an SDRS 77, let 17 G t be 
a set of 5-needed redexes in t, let iV : t — »• be 5-needed, and let N <5 U. Then 
N is a development of U, thus is finite. 

This lemma is used in the proof of the following crucial lemma for establishing 
finiteness of £-■^(77). 

Lemma 3.12 Let 5 be a regular stable semantics of an SDRS 77, let P <5 Q, 
and let [Q]^ be finite. Then so is [P]s- 

Hence, by Lemma 2.4. (4), we can soundly define {P)s to be finite iff P 
contracts only a finite number of 5-needed redexes, or equivalently if [P]^ is 
finite. The following lemma justifies our definition: 

Lemma 3.13 Let S be regular stable semantics for an SDRS 77. Then {P)s is 
finite iff it is a finite element of £-■^(77). 

Now, using Lemmas 3.13 and 2.4. (4) and Theorem 3.9, we can prove finiteness 
and algebraicity of (77) : 

Theorem 3.14 Let 5 be a regular stable semantics for an SDRS 77. Then 
£-^ (77) is a finitary w-algebraic complete lattice. 

Proof (Algebraicity) Let Q be a reduction in 77 and let = { 7 V|(N )5 finite, 
N Q}- Then {<P)s consists of all finite elements of £-■^(77) dominated by 
{Q)s- It follows from Lemma 3.1 and Lemma 2.4. ( 1 ) that for any finite subset 
<P' C \Js<P' G (since we can assume that all reductions in are finite), thus 
{<l>)s is directed. Thus we want to prove that {Usd>)s = {Q)s- It is immediate 
from Definition 3.4 that Q = < |Q|}. But {\Q'\'^\n < |Q|} C 
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thus Q = <5 Ll5<P. On the other hand, is the <5-lub of <1> by 

Theorem 3.9, thus <5 Q. Hence {Us<P)s = {Q)s- 

(Finiteness) Let {P)s be finite in C-^{TZ). By Lemmas 3.13 and 2.4. (4), we 
can assume P to be 5-needed and finite. Suppose on the contrary that {P)s 
dominates an infinite number of elements of £-'^{TZ). Then by Lemma 2.4. (4) 
there is an infinite set <P of 5-needed reductions such that <5 P. Since the 
reduction tree corresponding to 'P is finitely-branching (because a term may 
contain only a finite number of redexes), <P must contain an infinite 5-needed 
reduction Q <5 P (by Konig’s Lemma), contradicting Lemma 3.12. 

The above theorem fails for (irregular) stable semantics S in general [KG03] . 

4 A Representation Theorem 
for the Reduction Orderings 

In a previous section, we defined reduction orderings <5 as orderings generated 
by pairs {TZ,S), where 5 is a regular stable semantics for an SDRS TZ. Now we 
wish to give an equivalent definition in domain-theoretic terms. Such results in 
the literature are called representation theorems: for example, concrete domains 
(defined by restricting partial orders with a number of axioms) are exactly the 
domains generated by Information Matrices [KP93] (often called Concrete Data 
Structures [Cur86]), ^/-domains are domains generated by Prime (or equiva- 
lently, Stable) Event Structures [Win89], and Scott domains are domains gener- 
ated by Information Systems [Sco82,LW93]. 

To define (i.e., to fully characterize) orderings <5 domain-theoretically, we 
note that <5 is built from a pair (IZ,S), and in the transition from (TZ,S) 
to <5 some information, namely the residual information, gets ignored. This 
suggests that, up to some isomorphism, {TZ,S) is nothing but <5 equipped with 
appropriate residual information. The idea of partial orders with residuals is 
not precisely new: all the above mentioned representation results implicitly use 
a linear residual concept. In the case of reduction orderings, the crucial step 
enabling us to define the correct residual relation is the observation that all 
reduction orderings can actually be generated as permutation orderings on 
some non-erasing SDRSs IZs that are (syntactic) accident-free (defined shortly). 

The next definition shows how to define such ‘projections’ of <5 onto 
There, it is enough (and convenient) to consider only comma-SDRSs TZ, whose 
underlying ARSs are reduction graphs of a fixed initial term. The 5-projection of 
an SDRS consists of (isomorphic copies of) projections of its comma-(sub)SDRSs. 

Definition 4.1 (5-projection) Let 7^ be a comma-SDRS with a regular stable 
semantics 5. Then the S -projection of TZ is an SDRS TZs defined as follows: 

• Terms in TZs are «5-classes {P)s of finite initial reductions P in 7^ (that 
is, P starts with the initial term); 

• Arrows in TZs are pairs {P)s ~^S {P + u)s, where u is an 5-needed redex 
in the final term of P. (The empty redex in {P)s can be defined as the pair 

{P)s%{P)s-) 
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• The residual relation /s in TZs is defined as follows: Let {P)s^s{P + u)s 

and {P)s^s{P + v)s in Ps- Then for any 5-needed v' € v/u, {P + u)s-^s 
{P + U + v')s is a M*-residual of v, written v'* € v* /su*. 

Thus any redex Pu in TZ (whose history P is an initial reduction) is assigned 
a unique redex {P)s ~^s {P + u)s in TZs, although different redexes (with his- 
tories) in TZ may have the same corresponding redex in TZs- This assignment 
induces a function h from (parts of) initial reductions in TZ to initial reductions 
in TZs with the following properties: 

• If P = P 1 -I-P 2 is an initial reduction in TZ, then h{Pi + P 2 ) = h{Pi) + h{P 2 ); 

• If fV is an initial reduction in TZ, then h{N) = 0 iff is 5-unneeded. 
Although the converse of h is not a function, for any initial reduction P' in TZs 

there is a unique 5-needed initial reduction in TZ, noted h'(P'), that contracts 
the ‘same’ redexes as P', i.e., h{h'{P')) = P' , and therefore h'{h{P)) = P 
for any 5-needed initial reduction P in TZ. Thus (h,h') gives an isomorphism 
between 5-needed initial reductions in TZ and initial reductions in TZs- Using 
these properties of h, we can quite easily prove the correctness of Definition 4.1. 
First a definition: 

Definition 4.2 Let TZ he a, comma-SDRS. We call TZ good if it is non-erasing 
and accident-free: 

• [NE]: for any co-initial distinct redexes tAs and tAe in TZ, v/u yf 0. 

• [AF]: for any initial reductions P and Q in TZ that end at the same term t, 
P ~L Q-^ Note that PUQ ends at t, too. 

Lemma 4.3 Let TZhe a comma-SDRS with a regular stable semantics S. Then 
TZs is a good SDRS. (Hence in particular Definition 4.1 is sound.) 

For a comma-SDRS TZ, assume that (TZ) and (TZ) denote the corre- 
sponding orderings w.r.t. the initial term. Proof of the desired result is easy: 

Theorem 4.4 Let 5 be a regular stable semantics of a comma-SDRS TZ. Then 
(TZs) and (TZ) are isomorphic. 

Proof Since initial reductions in TZs are exactly reductions h{P) for initial (5- 
needed) reductions P in TZ, the theorem follows immediately from the fact that 
-P ^5 <5 in P iff h{P) h{Q) in TZs- 

In non-erasing SDRSs, coincides with the fair ordering i-e., the 

ordering </air where Sfair is the set of all fair [Ter03] reductions; this follows 
immediately from the fact that at least one residual of any redex u G t in a 
non-erasing SDRS must be contracted in every fair reduction starting from t 
(and from the fact that a reduction is fair iff so is any of its tails). 

^ A simple pair of co-initial reductions, namely P : I(Ix)^Ix and Q : I(Ix) 
that end at the same term but are not Levy-equivalent was given by Levy [Lev78], 
where this phenomenon is called a syntactic accident. 




478 



Zurab Khasidashvili and John Glauert 



Furthermore, because of accident-freeness, in good SDRSs (differently from 
SDRSs in general) there is at most one step between any pair of terms {t, s), thus 
the reduction relation can be given as sets of pairs. That is, a good SDRS is a 
triple TZ = {Ter, — >•, /), where Ter is & set of objects (called terms) containing an 
initial term t0, — >• is a set of pairs, and / is a residual relation (satisfying SDRS- 
axioms). Furthermore, in good SDRSs TZ, on finite elements is isomorphic to 
, the reduction relation on TZ\ 

Theorem 4.5 Let TZ = {Ter, — >■, /) be a good SDRS and Cfin{TZ) be the set of 
all finite initial reductions in TZ. Then Cjl‘^{TZ) = {Cjl^{TZ), <l) is isomorphic to 
(Ter, — W- ), and £-^(7?.) = (£“^(7?.), <l) is isomorphic to <7?,= /C(Ter, — ), 
the ideal completion of {Ter, -» ) (infinite ideals of <ti correspond to 
classes of infinite reductions in TZ) . 

Proof By [AF], every term t £ Ter uniquely determines exactly one element 
{Pt)L of CJ^^{TZ), where Pt is any initial reduction ending with t. Furthermore, 
t — W- s iff {Pt)L {Ps)l- Indeed, if N : t s, then by [AF] Pg P^ + N, 
implying Pt <l Ps', and conversely, Pt <l P.s implies Pg ~l Pt + Ps/Pt and 
clearly Pg/Pt ■ t — » s. By Lemma 3.13, £j^^{TZ) coincides with the set of finite 
elements of £-^(7^), hence C-^{TZ) is isomorphic to <n (see [DP90], pp82-83). 

Thus, we need to provide a domain-theoretic characterization of (ideal com- 
pletions of) orderings (Ter, — W- ) for good SDRSs TZ = (Ter, —>■,/), which 
are finitary w-algebraic complete lattices of a special form. It is standard (af- 
ter [KP93]) to associate with a partial order < = {D, <d) an ARS (or a transition 
system) A< = (Ter<, — >■<) such that Ter< = D and t — >■< s iff 7 ^ qs (in D), 
where t ^ _ds iff 7 <_d s A Vo G D : (7 <d o <d s 7 = oVs = o)}. The 
relation ^ d is called covering. A sequence of the form 7 ^ d7i ^ d ■ • ■ 
is called a covering chain, or a covering (7, s)-chain when U <d s. We call a 
covering (7, s)-chain maximal if it is infinite or cannot be extended. 

Since any algebraic cpo £ is obtained as the ideal completion of its subset of 
finite elements (noted T(£)), it is enough to axiomatize properties of finite ele- 
ments only. Therefore, following [Cur86], if in a pair 7 ^ ds in an algebraic cpo 
both 7 and s are finite, we write it as [7, s]d (or simply as [7, sj) and call it a prime 
interval, although the definition of (prime) intervals [7, s] say in [KP93,Win80] 
does not require 7 and s to be finite. Similarly, if all ti in a covering chain 
7 ^ £)7 i ^ D ■ ■ ■ are finite, we write it also as [7 ^ r>ti —< £>...]. 

Note that in non-erasing SDRSs, the residual relation is defined uniquely by 
the corresponding lub operation: If 7— >-s and u G 7, exactly the redexes v' G s such 
that u+v'<luUv are u-residuals of v. This is of course not true in erasing SDRSs. 
This observation allows us to define a residual relation in complete lattices: 

Definition 4.6 Let <= (77, <d, LI 77 , FId), be a complete lattice. 

(1) We define the residual relation /_d as the reflexive and transitive closure 
of the following relation: 

• For any pair of co-initial prime intervals u = [t,o],v = [7, s] in D, u / dv = 
{[s, e] I e < s U o}. 
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(2) We write f ^ _ds ^ dS* if, for any o € D such that t —< do, s* ^d 

C C 

sUdo, and say that t —< ds creates s —< ds*. We write [t —< ds —< ds*] to 
indicate that t, s and s* are finite. 

We now reformulate the axioms of good SDRSs in domain-theoretic terms. 

Definition 4.7 Let <= (D, <d, Ud, fl/j) be a (finitary w-algebraic) complete 
lattice such that: 

• [FB] (finite branching) For any t G F{D), there are only a finite number of 
s € D such that t —< ds (such an s must be finite). 

• [NT] (no triangles) For any pair of different co-initial prime intervals [t, s] 
and [t,o] va D, s,o <D sU o. 

• [SD] (semi-distributivity) For any triple of co-initial prime intervals [t, s], 
[t, e], and [t, o] in D, s U^i (o e) = (s Ux) o) fl^i (s e). (Note here that, by 
[NT], s Ud {oUd e) = s.) 

• [FC] (finite chains) For any set of co-initial prime intervals [t, Si] , any max- 
imal covering (t, U£)Si)-chain is finite and ends with U^Si. 

C 

• [S] (stability) For any t,s,s*,e,e* G F{D) such that [t ^ ds ^ ds*] 

C 

and [t —< DC —< dc*], (s Ll/j e*) Ud (e Ud s*) = e Ud s. 

Then we call < a complete regular domain (CRD). 

By Definition 4.6, we may as well refer to a CRD as a triple < = {D, <d, / d)- 
Using this definition, we can show that good SDRSs and CRDs are equivalent 
models. We need two simple lemmas first: 

Lemma 4.8 Let (D, <,U,n) be a CRD, and let [t, s], [t,Si] (0 < i < to) be 
prime intervals such that s ^ Si. Then s < s U (Us^) and Usi < s U (Usi). 

Lemma 4.9 Let <= {D,<d,Ud,Ud) be a CRD, let [cq ^ dCi ^d--- 
^ DCm], and let [cq ^ Cq]. Then [em,e)(,] is a residual, w.r.t. /d, of [60,69] 
iff 6^ <D 6g Ud Cm, and the lub of all such 6^ is Cg Ud e^. 

The above lemma says that the residual relation is independent of a covering 
sequence between eg and Cm- 

Theorem 4.10 Good SDRSs and complete regular domains are equivalent mod- 
els. More precisely: 

(1) For any good SDRS TZ = (Ter, —>■,/), <= IC{Ter, — » ) is a CRD 
(where — »■ is the transitive reflexive closure of — >■). 

(2) If <= {D,<d, / d) is a CRD, then TZ< = {F{D), ^ d,/d) is a good 
SDRS and < is isomorphic to IC{F{D), —< d) (where ^ dJd '^^ are 
restrictions, to F{D), of these relations in <). 

Proof 

(1) By Theorems 3.14, 4.4 and 4.5, <= ICiTer, — W- ) is a finitary w- 
algebraic complete lattice (we denote by U< and □< the corresponding lub and 
gib operations). Then [FB] is immediate. [NT] is immediate from [NE]. To show 




480 



Zurab Khasidashvili and John Glauert 



[SD] (in its simplified form), let [t, s], [t, e], and [t,o] be prime intervals in <. 
Then s — »-sU<eands — W- sU< o, hence s — » (sU<e)n< (sU<o) = s*. If on the 

contrary s ^ s*, then for any s' such that s ^ s' — W- s*, we would have that 
the redex [s, s'] is a [t, s]-residual of both redexes [t, o] and [t, e] in 7^ - contradic- 
tion. To prove [FC], let [to, si] be prime intervals in <, and let P : to ~ ■ 
be a (to, U<Si)-chain. Then P is a development of the set of redexes [to,Si] in 
TZ by Lemma 4.9 (since the residual relation generated by {Ter, — »■ ) coincides 
with /), and [FC] follows from [FD] (finiteness of developments) for TZ. Finally, 
[S] follows immediately from [NT] and stability of TZ. 

(2) We need to prove that the residual relation in TZ< satisfies the axioms 
of good SDRSs. The fact that every term contains a finite number of redexes 
is immediate from [FB], and the fact that every redex is a residual of at most 
one redex follows from [SD] . The axiom [AF ] follows from the fact in a complete 
lattice, the lub of two elements a and b does not depend on covering chains 
leading from the bottom element to a and b. By Lemma 4.9, [FD] implies [FC], 
and stability of TZ< follows from [S] . 

Remark 4.11 (Imposing more structure on < 5 ) The projection of pairs 
{TZ,S) onto SDRSs TZs induces a projection of pairs (P, S) onto Ps = {TZs,—s), 
where P = {TZ, ~) is a DFS with family relation It is easy to show that for 
any DFS P with a regular stable semantics 5, P 5 is a DFS (see [KG03]). Thus 
orderings <5 generated by pairs (P, 5) are generated by good DFSs, i.e., DFSs 
P = {TZ, ~) such that TZ is good. And furthermore the family relation ~ induces 
an equivalence relation on prime intervals in < 7 ^ that is a family relation (when 
considering < 7 ^ as an SDRS) . There may be more than one way to define a family 
relation on a (good) SDRS,^ so in general the family axioms do add strength to 
complete regular domains. Furthermore, we can impose the minimality property 
(the counterpart of superstability of reduction sets) on regular stable domains 
to obtain an even better behaved ordering. 

5 Conclusions and Future Work 

We have defined stable computational semantics for deterministic reduction sys- 
tems based on very natural orderings <5 reflecting the growth of information 
towards the value of an expression w.r.t. a semantics S specified by a set of 
computations. We showed that <5 are finitary w-algebraic complete lattices of 
a special form (containing ^/-domains as substructures), and gave their equiva- 
lent domain-theoretic characterization. The proposed semantics unifies Boudol’s 
computational approach to semantics [Bou85] with Winskel’s stable Event Struc- 
ture Semantics [Win89] (in the conflict-free case). We have learned that the 
‘finest’ good domains to model functional calculi are actually the domains gen- 
erated by the calculi themselves. 

^ This is related to the separability problem: a redex may create a number of redexes 
that may be put in different families, as well as in the same family, without violating 
the family axioms [KG97]. 
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The importance of the concepts of stability and ^/-domains for construc- 
tion of models of functional calculi (based on the A-calculus) and for the full 
abstraction problem [BCL85,Ong95], as well as for modelling polymorphism 
[Gir86,CGW89], is well understood, and we hope that our results will contribute 
to progress in these areas. The interpretation of DFSs into non-duplicating 
ones proposed in [KG97] maps good DFSs into linear DFSs which generate dl- 
domains, and we can readily get denotational models for lambda-calculi with 
different stable semantics using Berry’s construction [Ber79]. However, more di- 
rect ways of using the orderings <5 in the study of denotational models of A- 
and related calculi deserve further investigation. The precise relevance of family 
axioms and the minimality for regular stable domains is presently unknown. 
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Abstract. This paper provides an algorithm to compute the comple- 
ment of tree languages recognizable with A-TA (tree automata with as- 
sociativity axioms [16]). Due to this closure property together with the 
previously obtained results, we know that the class is boolean closed, 
while keeping recognizability of A-closures of regular tree languages. In 
the proof of the main result, a new framework of tree automata, called 
sequence-tree automata, is introduced as a generalization of Lugiez and 
Dal Zilio’s multi-tree automata [14] of an associativity case. It is also 
shown that recognizable A-tree languages are closed under a one-step 
rewrite relation in case of ground A-term rewriting. This result allows us 
to compute an under-approximation of A-rewrite descendants of recog- 
nizable A-tree languages with arbitrary accuracy. 



1 Introduction 

In the tree automata theory, the following question has been asked frequently: 
What are natural definitions of equationally and boolean closed tree languages? 
The class of regular tree languages, which is the counterpart of regular word 
languages, is known to be well-behaved, such as to be closed under boolean oper- 
ations together with many positive decidability properties [4,8]. However, under 
consideration of several equational axioms, the equational closures of regular tree 
languages are no longer regular [6] . Due to this problem, recently there have been 
several attempts in which the tree automata framework is extended. Alternating 
two-way AC-tree automata of Goubault-Larrecq and Verma [9] succeeded in the 
sense that AC-closed tree languages can be recognized, while keeping decidability 
of the intersection-emptiness problem. Lugiez and Dal Zilio coped with the same 
question by inventing multi-tree automata [14]. Their extended framework is use- 
ful for manipulating flattened-tree languages. Actually, the framework provides 
the starting basis of this research, because the authors have shown that there 
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exists some subclass of regular tree languages closed under the AC-congruence 
relation and under boolean operations. However, multi-tree automata for asso- 
ciativity axioms are not powerful in practice. For instance, the multi-trees like 
f(a, . . . , a, b, . . . , b), assuming the numbers of a and b are the same and f has a 
flexible arity, are not recognizable with multi-tree automata. In the usual term 
model the previous example can be represented as the A-closure of the lan- 
guage recognized by a regular tree automaton with the following transition rules 

f(qa>qb) qf. f(qa>qf) ^ q> f(q.qb) qf- 

The past couple of years we have investigated in [16,17] the recognizability 
and closure properties of associative and/or commutative tree languages by intro- 
ducing a new framework, called equational tree automata. This framework allows 
us to handle equational tree languages, such as recognizable A-tree languages, 
which are effectively closed under union and intersection. The same closure prop- 
erty also holds in the AC-case. Our extension is useful for infinite-state model 
checking based on algebraic description languages of concurrent systems [18]. 
For instance, in protocol verification, network messages consisting of sequential 
data components are modeled with multiple lists, which are represented as terms 
with A-symbols. Besides, it is known that the emptiness problem for A-regular 
tree languages (i.e, tree languages recognizable with regular A-tree automata) 
is decidable. Unfortunately, there is also a negative result on A-tree languages: 
A-regular tree languages are not boolean closed. However, in the equational tree 
automata setting, the class of recognizable A-tree languages is properly wider 
than that of A-regular tree languages. So the remaining question arises again, as 
to whether or not recognizable A-tree languages are closed under complementa- 
tion. 

In the paper we obtain the solution to the unsolved question, in the way that 
A-tree languages are translated into sequence-tree languages. The translation is 
performed by a flattening operation, which is the standard technique in term 
rewriting, e.g. found in [2]. Intuitively, every non-empty and maximal context 
consisting of an A-symbol is replaced by a special function symbol ( ) which has 
a flexible arity. For instance, the term f(a, f(f(b, c), d)) is interpreted as (a, b, c, d). 
The resulting term is called a sequence-term (or sequence-tree). We thus need 
a new mechanism that manipulates sequence-terms. In Section 2 we introduce 
sequence-tree automata that allow a Galois connection to A-tree automata, even 
that have a bijective correspondence in recognizability. The new tree automata 
definition is inspired from Toyama’s membership conditional term rewriting sys- 
tems [20] . Furthermore, our formalization of sequence-tree automata generalizes 
Lugiez and Dal Zilio’s multi-tree automata of the associativity case. In Sec- 
tion 3 we discuss the determinization of sequence-tree automata, which leads to 
the desired answer, that is, the complement closedness of recognizable A-tree 
languages. In Section 4 we demonstrate the usefulness of A-tree languages by 
showing that recognizable A-tree languages are closed under one-step ground 
A-rewriting. More precisely, since the tree language { s | t — ^ 
handled with a decidable tree automata theory [6], we show in the paper that 
{s \ 3t € L such that t -^tz/a s } is recognizable with A-tree automata, provided 
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L is recognizable with A-tree automata and 7^/ A is a ground A-rewrite system 
(i.e. rewrite rules in TZ are ground and equations in A are associativity axioms for 
some binary symbols). This result is helpful in figuring out decidable subclasses 
for the first-order theories of one-step rewriting [5] . 

In the paper we assume the readers are familiar with the basics of term 
rewriting (explained, e.g., in [1,3]). A subset JX. of the signature T consists of 
some binary function symbols. An equational system (ES for short) denoted 
by A is a set of associativity axioms f{f{x,y),z) « f{x,f{y,z)) for all / in 
Ta- An associative term rewriting system (A-TRS for short) TZ/A over T is the 
combination of a TRS TZ and an ES A. We write s -^ujA t if there exist terms s' 
and t' such that s ~a s' t' ~a t. The binary relation ^a is the equivalence 
relation induced by A. The reflexive-transitive closure and the transitive closure 
of EU'e denoted by — and — respectively. A term t reachable from 

a term s with respect to TZ/A, i.e. s ~^^/a is called an TZ/ A- descendant of 
s. A term t with s -^njA t is called a one-step TZ/ A-descendant of s. The sets 
{ t I 3s G L. s — >-^/A ^ { t I 3s G L. s -^njA t } for some set L of terms are 

denoted by (— >-^y^)[L] and {-^■r,/a)[L\, respectively. 

Next we fix our terminologies on tree automata. A tree automaton (TA for 
short) A is the 4-tuple {if, Q, Qfi„,A) consisting of the signature iF, a finite set 
Q of state symbols (special constants with Q = 0), a set Qfin (C Q) of final 
state symbols, and a finite set A of transition rules in one of the following forms: 

f{pi,...,Pn) ^ q or f{pi,...,pn) ^ f{qi,...,qn) 
for some f € iF with arity(/) = n and pi, . . . ,p„,q,qi, . . . ,qn G Q. In the latter 
form, the root function symbols of the left- and right-hand sides must be the 
same. An associative tree automaton (A-TA for short) A/ A is the combination 
of a TA A and an ES A over the same signature T with Ta- An A-TA A/ A is 
called regular if A consists only of rules in the former shape f{pi, ■ ■ ■ ,Pn) <?• 

An A-TA A/ A is a special A-TRS. In fact. A/ A defines an A-TRS over the 
signature T\J Q. We write s -^a./a t if s ~^a/a t- The binary relation -^a/a over 
T(iF U Q) is called the move relation of A/ A. A term t in T(lF) is accepted by 
A/ A if t — >-^/A 9 some q G Qfin- The set of terms accepted by A/ A is denoted 
by C{A/A). A tree language L over T is some subset of T{T). A tree language 
L is recognizable with A-TA if there exists A/ A such that L — C{A/ A). If L is 
recognizable with regular A-TA, it is called A-regular. A tree language closed 
under A-congruence relation is called an A-closed tree language, or simply called 
an A-tree language. 



2 Sequence- Tree Automata 

We begin this section by introducing a new concept of tree automata, which is 
called sequence-tree automata. The new framework enables us to accept (ground) 
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sequence-terms: Given the signature T, we say t is a sequence-term (or sequence- 
tree) in s-T{T) 

ii t = f{ti, . . . ,tn) such that f £ and ti G s-T{T) for all 1 < i < n, or 
if t = {ti, . . . , tm) such that to ^ 2 and U £ s-T{T) and root(ti) G T for all 

1 ^ t ^ TO. 

We assume ( ) to be a special symbol with a flexible arity. Each function symbol 
] vn T has a fixed arity, which is represented by the mapping arity : — >■ N. A 

subset Tn of T consists of function symbols / with arity(/) = n. 

A sequence-tree automaton (s-TA for short) A4 = (T , Q, Qfin, 2\) is defined 
as an easy extension of the standard TA, by allowing transition rules for the 
special symbol ( ) with the following shape: 

(X) q concat(A) in £{G) 

Here the capital letter X is called a sequence-variable [10,13]. In the above 
transition rule, X is expected to be instantiated to some sequence ( 7 i,...,g„ 
(n ^ 2) of states. So in the conditional part of the rule, the concatenation gi • • • 
of state symbols, denoted by concat(A), is examined whether it is accepted by 
a word grammar G over Q. Each grammar in conditional rules is not necessarily 
the same as each other grammar in different rules. If the membership condition 
concat(A) in C{G) is satisfied for some instance of X, the left pattern can be 
replaced by a single state q. 

A word grammar G = (X, 5,So, A) over the alphabet S with S nonterminal 
symbols and Sq the starting symbol is called (1) context-sensitive (CSG for short) 
if jZj ^ jrj, (2) context-free if / G 5, (3) regular if I £ S and r G {as | a G 
X and s G 5 } U { a I a G A } for all production rules Z — >• r in A. We say t/ is a 
monotone grammar if every rule in A has one of the following forms: 

p->- a or p->- qiq 2 or P 1 P 2 ->■ qi q 2 
with _p, Pi , P 2 ) <Zi , 92 G S and a £ X. 

An s-TA is called a monotone (resp. context-sensitive, context-free, regular) 
s-TA if word grammars in the conditional part are monotone (resp. context- 
sensitive, context-free, regular) . In the paper we say an s-TA instead of a mono- 
tone s-TA. A sequence-tree language recognizable with a monotone (resp. context- 
sensitive, context-free, regular) s-TA is called monotone (resp. context-sensitive, 
context-free, regular). In the literature, e.g. in [15], monotone grammars are 
called Kuroda normal forms of GSG. Moreover, it is known that for every GSG, 
we can compute an equivalent grammar in Kuroda normal form [12]. The expres- 
sive power of sequence-tree automata is determined by the generative power of G- 
In fact, we have the strict language hierarchy between the classes of monotone, 
context-free, and regular sequence-tree languages. 

Next we discuss the relationship between A-TA and s-TA. Hereafter we as- 
sume Xa = |f}. Moreover, we say a context of a term is an f -block if it is 
a non-empty maximal context consisting of f only. For notational convenience, 
we write C"[Cf|ti, . . . , t„]] for C'[C[ti , . . . , t„]] if C is an f-block. For instance, 
g(Gf|a, b,c]) represents the terms g(f(a, f(b, c))) and g(f(f(a, b), c)). 
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We define the two mappings flat and unflat as follows: Let t be a term in 

nn 

flatm = I - if f = C'fpi.- ■ • 

|/(flat(ti), . . . , flat(<„)) if t = /(ti, and / yf f. 

Let T' = T — {^} and let t be a sequence-term in Sr-T{T'), 

{ f(. . . f(unflat(ti), unflat(t 2 )) • ■ • , unflat(tm)) 

if t = 

/(unflat(ti), . . . , unflat(t„)) if t = f{ti, . . . , t„) and / yf f. 

An example of a flat-transformation is illustrated in Fig. 1. One should no- 
tice that flat(unflat(t)) = t for any sequence-term t in s-T(lF',V). However, 
unflat(flat(t)) and t are not always the same, but unflat(flat(t)) ~a t. For in- 
stance, 

unflat(flat( g(f(h(a),f(b,c)),d) )) = g(f(f(h(a), b), c), d) yf g(f(h(a), f(b, c)), d) 

although g(f(f(h(a),b),c),d) ~a g(f(h(a), f(b, c)), d). 

Using the mappings flat and unflat, we show that the classes of A-TA and 
s-TA have a bijective correspondence in recognizability. More precisely, in the 
remaining part of this section, we prove the next statement. 

Theorem 1. Given an A-tree language L over the signature T with Tx = { f }, 
there exists an A-TA Aj such that £(A/A) = L if and only if there exists an 
s-TA M such that C{M) — flat(L). □ 

In the above theorem A-closedness of L is essential. For instance, the tree 
language {f(f(a,a),a) } is not recognizable with A-TA, because an A-TA which 
accepts f(f(a,a),a) also accepts f(a,f(a,a)). On the other hand, we can easily 
define an s-TA that accepts (a, a, a) only. 

Let us explain the idea for the “only if” proof of the above theorem. We 
consider the A-TA A/ A with A= ({ f, a, b }, { p, q^, P 2 }, { p }, A) where A : 

f(qi,q2)-^p f(qi,q2) f(q2:qi) 

b^q 2 f(p, p)-:>p f(q 2 ,qi) -f f(qi,q 2 ) 




488 



Hitoshi Ohsaki, Hiroyuki Seki, and Toshinori Takai 



The A-TA A/A recognizes the tree language { t G T({ f, a, b }) | |t|a = |t|b }, i.e. 
the set of ground terms t which have the same numbers of a and b in t. Now we 
define the associated s-TA A4 ^/a = (A", Q, Qfi„,Ai U A 2 ) as follows: 



T : 


a, b 




Q: 


p,qi,q2 




Qfin ■ 


p 




: 


a -G qi, b q2 




^2 : 


(A) ^ p 4= concat(A) in 


^Gp) 


where 


Gp — ({p,qi,q2},{ ^p’ 


«q 2 },dp,A) and 



A — { ap — >■ Oql 0;q2, Op — >■ Op Op, 0;q2 Oql — >■ Oql Q:q2, Oql Q;q2 — >■ Q;q2 Oql } 

U { Op — >■ p, Oql — >■ q^, Q!q2 q2 }■ 

In the construction, a monotone grammar Qp has a production rule of the form 
Op — >■ agar if A contains a transition rule f{q,r) p € A. Likewise, Gp has a 
rule Op aq — >■ ar Os if f('c, s) — >■ f(p, q) in A. As a consequence, we obtain the s-TA 
satisfying that: AiA/h allows a one-step move (pi, . . . ,p„) ~^MA/k P 
and only if Op Op^ • • • Op^. In fact, the above s-TA construction satisfies the 
following property. 

Lemma 1. Given an A-TA A/A with A = (A, Q, Qfin,A). Suppose Maia = 
(iF', Q', A') is the s-TA obtained by the above construction. Then, for all 

pi, . . . ,Pn,q G Q, Cflpi, . . . ,p„] -^*a/a 1 o^pi ■ ■ ■ n 

Using this lemma, we can prove the “only if” direction of Theorem 1. 

Lemma 2. Given an A-TA A/A with A = (iF, Q, Qp„, A). Suppose A4 a/a = 
{if' , Q' , A') is the s-TA obtained as in the previous lemma. Then, t G 

£(A/A) if and only z/flat(t) G C{A4a/a)- 

Proof. We show the “only if” part. The reverse can be proved in a similar way. 
We assume t ~^a/a 9 some q G Q. Then we show by the structural induction 
that flat(t) If ^ is a constant c, there exists a transition rule q G 

A. Then, by construction, c ^ q G A'. If t = /(ti,...,t„) with / yf f, then 
ti ~^a/a Pi some Pi G Q (1 < t < n) such that /(pi, . . . ,p«) q £ A. By 
induction hypothesis, flat(ti) Pi (1 ^ i ^ n). Moreover, /(pi, . . . ,p„) — >■ 

q G A'. Thus, flat(t) /(pi,...,p„) ^Ma/a 9- H f = QlA,--’ Ami, 

then ti — Pi all I ^ ^ TO and Cflpi, . . . ,Pm] ~^a/a induction 

hypothesis, flat(t*) Pi (1 ^ z < n). Thus, flat(t) = (flat(ti), . . . ,flat(t„)) 

~^*Ma/a (fi> ■ • • iPm) ~^Ma/a 9’ because there exists a transition rule (A) — >■ g 4= 
concat(A) in T{Gq). By Lemma 1, pi • • • Pm G T{Gq) is guaranteed. □ 

Next we show the reverse (the “if” part of Theorem 1). The proof is achieved 
as in the previous lemma. Suppose M = (A, Q, Qp„, A). Without loss of gener- 
ality, we assume that for every rule of the form (A) — >■ g 4= concat(A) in C{G), 
nonterminal symbols of G are pairwise distinct from the other word grammars. 
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We define the associated A-TA Am!^ as follows: Am = (^U {f }, Q', Qfin,A') 
and ITA = { f } where 

A' = {I ^ r G A \ root{l) G T} 

U { f(a, (3) — >■ f( 7 , (5) I (A) — >■ g 4= concat(A) in C{Q) G A, j 5 ^ a P G Q} 

U { f(o;, /3) — >■ 7 I (A) -G q ^ concat(A) in C{Q) G A, j ^ aP G G} 

U { f(o;, P) ^ q I (A) -G q ^ concat(A) in C{G) G A, J ^ a P G G, 

and 7 is a starting symbol of G} 

U { f{pi , . . . ,p„) -)> a I f{pi, . . . ,PrP ^ p G A with f jff, 

(A) q ^ concat(A) in C{G) G A, a ^ p G G } 

The set Q' of new nonterminal symbols is Q together with nonterminal symbols 
of all word grammars of conditional rules in A. Then we can prove the next 
lemma. 

Lemma 3. Given an s-TA AA over the signature T such that f ^ T . Suppose 
T' = ALL7A with = {f} and Am/ is the A-TA over T' obtained from AA by 
the above construction. Then, t G C(AA) if and only z/unflat(t) G L{Am//^)- D 

Bijective correspondence between s-TA and A-TA is beneficial: For instance, 
the proof of the emptiness problem for A-TA (Corollary 1 in [16]) can be sim- 
plified. We prove the same undecidability for s-TA below: Given a monotone 
grammar G = {Td, S, Sq, A), we define the s-TA AAg = (A, Q, Qfim A) associated 
with G as follows. T = {Ca joG A}, Q = AU{q} with q ^ A, = { q }, 
^={ca— >-a|aGA}U{ (A) — q concat(A) in C{Gc/) }. Then C(AAg) = 0 
if and only if A (^q) = 0. It is known that the emptiness problem for monotone 
grammars is undecidable, and thus, the problem is also undecidable for s-TA. 

Using our transformation (from s-TA to A-TA, and the reverse), it can also 
be proved that the class of monotone sequence-tree languages is effectively closed 
under union and intersection, because the class of A-tree languages is also effec- 
tively closed under union and intersection (Theorems 2,3 in [16]). The additional 
benefit from using Theorem 1 is that a complexity result in one framework yields 
the same result in the other framework. 

Theorem 2. The membership problem for s-TA is P SPACE- complete. □ 

Proof (Outline). The nontrivial part, showing the PSPACE-hardness, of this 
theorem can be achieved by reducing from the membership problem for CSC, 
which is known to be PSPACE-complete. □ 

As an immediate consequence, we obtain the complexity result for A-TA. 

Corollary 1. The membership problem for A-TA is PSPACE-complete. □ 

3 Determinization of Sequence- Tree Automata 

We show in this section that context-sensitive sequence-tree automata can be 
determinized using the algorithm in Fig. 2. The algorithm is obtained by gen- 
eralizing the standard subset construction technique. This implies that recog- 
nizable sequence-tree languages and hence A-tree languages are closed under 
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Let j\A = Q, Qfin, 4\) be an s-TA. We assume without loss of generality 
that A does not contain different conditional rules for the same right-hand 
side q. In case A contains (X) — >■ g concat(X) in C(Qi) and (X) q 
concat(A) in jC{G 2 ) with Gi 7 ^ G 2 , they can be merged to a single rule (X) — >■ 
q ■<= concat(X) in C{Gi) such that jC-^Gs) = ^{Gi) U £{G 2 )- 

Next, for every conditional rule (X) — >■ g concat(A) in jC{Gq) in A, we 
define a monotone (but not necessarily deterministic) grammar Gq as follows: 
Let Gq = (-S', 5, So, A), then Gq = (S'^, 5, so. A') where 

A = (A — { ct — y n|u(zL7})u{Q; — y A | ct — y a ^ A, A ^ 2 , u (E A 

Finally, we define an s-TA A4d ~ (^, Qd, Qdfin, Ad) as follows: 

Qd = 2 ^ 

Qdfin = { A € Qd I A n Qfin 7^ 0 } 

Ad = Adi U Ad 2 U Ad 3 where 

Adi : /(Ai, . . . , A„) ^ A 

for Ai € Qd (1 ^ ^ n) and 

A = { <7 I /(<?!, ■ ■ ■ ,qn) ^ q & A such that G Ai (1 ^ i ^ n) }, 
Ad 2 : {X) — >■ A concat(A) in C{Ga) 
for A G (Qd — { 0 }) and 

ns A) = - {^,^a-AnGi), 

Ads ■ (X) — >• 0 concat(A) in £(Go), 

where £(^ 0 ) = { w G Q3 | |w| > 2 } - £(Gq). 



Fig. 2. Determinization of sequence-tree automata 



complementation, which provides a positive answer to an important remaining 
question in [16,17]. 

Lemma 4. Given some subsets Ai (1 ^ f ^ n) of a set S, for every subset I of 
indices { 1, . . . ,n}, we define Cj = flig/ Ai. Then CiDCj = 

0ifI^J. ’ □ 

Lemma 5. Aid is a complete and deterministic s-TA. 

Proof. First we show that Add is a deterministic s-TA. By Kuroda’s Lemma 
([12]), given a context-sensitive grammar, there effectively exists a monotone 
grammar with the same generative power. Moreover, monotone languages are 
effectively closed under boolean operations [11,12]. Thus a language £{Ga) of a 
conditional rule in A ^2 can be defined by a monotone grammar. The same holds 
for C{Go) of Ad 3 - So we can compute an s-TA Aid- Next we show the determinism 
of Ad. By definition, there is no overlapping at the root position in the left-hand 
sides of two different rules in Adi. For transition rules in Ad 2 , we take two rules 
(X) — >• Ai 4= concat(A) in £{Gai) and (X) — >• A 2 4= concat(A) in £{Ga 2 ) in 
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Ad 2 - By Lemma 4, we obtain C\C{Qa 2 ) = 0- Then there is no instance 

t of {X) such that t G C{Qai) Cl C{Qa 2 )- For Ads, the intersection of {w G QJ | 
H > and n,6Q £-{Gg) is empty. Hence, there is no overlapping 

between Ad 3 and Ad 2 - 

Next we show that Aid is complete. By definition, for every f G A and 
Ai, ... ,A„ G Qd, there exists a transition rule of the form /(Hi, . . . , H„) — >• A 
in Adi. For another pattern (Hi, . . . , Am) with Hi, ... , Am G Qd and to ^ 2, we 
take L = UAG(ad-{0}) Then we can show that Ug^Q^iSg) is the same 

as L. This implies L U £(Go) = {w G QJ | \w\ ^ 2}. Hence, if Hi • • • Am G L, 
there exists a transition rule {X) — >■ H 4= concatX in £{Ga) in Ad 2 that is 
applicable to (Hi, . . . , Am)', otherwise, Ad 3 is applicable. □ 

Lemma 6. Suppose (X) — >■ H 4= concat(Al) in £{Ga) is a transition rule in 
Ad 2 - Let La = {Hi---Hfc G Qd* \ q G A if and only if 3qi G Hi(l < i < 
k) and qi - ■ ■ qk G £{Gq) }• Then £{Qa) = La- □ 

Lemma 7. £(Ai) = £(Aid)- 

Proof. We show that for every sequence-term t G s-T{T) and state symbol 
H G Qd, if t A then H is the same as the set { g G Q \ t — g}. 

We use the structural induction on t. If t is a constant. Aid has a transi- 
tion rule t— >-{gG Q \ t ^ q G A}, and Aid has no other rule for t. We 
suppose t = f{ti, . . . ,tn) with f G T. Then, ~^*Md Hi (1 ^ z < n) and 
/(Hi,...,H„) — >• H G Ad. By Lemma 5, Aid does not allow the move rela- 
tion for t except t /(Hi,...,H„) -^Md Fy definition, H = {g G 

Q I 3/(gi, . . . , g„) -A q G Z\ such that gi G Hi (1 ^ z < n)}. On the other 
hand, by induction hypothesis, we obtain Hi = { gi G Q I £ ~^*M t}- Then, 
H = { g G Q I 3/(gi, . . . , g„) — >• g G H such that U ~^*M (1 ^ ^ n.) } — 

{g G Q I f{t\, . . . ,tn) ~^*M 9}- Next we suppose t = (ti,...,tm) such that 
TO ^ 2 and ti Hi (1 < z < to). By Lemma 5, Aid does not allow the 

move relation for t except t (Hi, . . . ,Am) ~^Md Fy construction, the 

last move relation (Hi,...,Hm) ~^Md ^ is made by the rule (X) — >• H 4= 
concat(X) in £{Ga) in Ad. By Lemma 6, g G H if and only if 3gi G Hi (1 ^ z ^ to) 
and gi • • • gm G £{Qq). Hence, by induction hypothesis, H is the same as the set 
{ g G Q I 3gi G Q such that U gi (1 ^ z < to) and (gi, . . . , g™) -Gm q }■ 

The rest of the proof is easy. By Lemma 5 for every t G s-T{T) there exists 
a (and only one) state H G Qd such that t -g*m^^ From the above property, 
H G Qdfin if and only if t — g G Q^„ for some q G A. □ 

Theorem 3. Given an s-TA Ai, we can compute a complete and deterministic 
s-TA Aid such that £{Aid) = £{Ai). Thus monotone sequence-tree languages 
are effectively closed under complementation. □ 

Corollary 2. Tree languages recognizable with A-TA are effectively closed under 
complementation. 
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Proof. Given an A-TA A/ A over the signature T with iTA = { f }> by Lemmata 2 
and 3 and Theorem 3, we can compute Bj A such that t £ flat(T(^) — £(A/A)) 
if and only if unflat(t) G C{B/A). Note that — Ta) — flat(£(A/A)) = 

flat(T(^) — C{A/A)). Thus, by showing that B/ A recognizes the A-closure of 
unflat(flat(T(iF) — C{A/ A))), we know that the complement of A/ A is recogniz- 
able with B/ A. □ 



4 Recognizing One-Step A-Rewrite Descendants 



In order to validate a safety property with model checking approach, reachability 
is a fundamental problem to be handled. Nevertheless, it is proved in equational 
term rewriting that, there is no algorithm capable of deciding s ^ if 

TZ is ground. Due to this fact, we know that the tree language 
no longer effectively recognizable. However, these negative results do not imply 
incomputability of arbitrary but fixed n. In fact, we show 

in this section that, given a ground A-TRS TZ/A and an A-TA A/A, the tree 
language (— >- 7 ^/a) [/i(A/A)] is effectively recognizable with A-TA. 

In case that 7Z is ground, every rule I ^ r inTZ can be simulated by decom- 
posed rules /(ci, . . . , Cm) cq and do — >■ g{di, . . . , d„), where Cj (0 < i < m) 
and dj (0 < j < n) are fresh constants. The nontrivial case to be considered in 
the proofs occurs in the rewrite relation made by a rule f(ci, C 2 ) — >■ cq with f an 
associativity symbol. First we consider in the following the string rewriting case. 
We then generalize this result to the A-term rewriting case. 



Lemma 8. Given a monotone grammar Q = (A,iS,So, A) and a string rewrite 
system 7?. = {a b — >■ c} with a,b,c G S, we can compute a monotone grammar 
that recognizes (— >-7?,)[£(t7) ]. 



Proof. We assume without loss of generality that in A, (1) there is only one 
transition rule whose left-hand side is Sq and (2) Sq does not appear in the 
right-hand sides. We define a monotone grammar Q' = {S,S' ,Sq, A') as follows: 



( 1 ) 

(2) 

( 3 ) 

( 4 ) 
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Rules in (1) and (2) are computable, because the membership problem is decid- 
able for monotone grammar. The rest of the proof is done by case analysis. □ 

In Lemma 8, each of the letters a, b,c is not necessarily different from each 
other. Moreover, we can take a string rewrite rule, such that the length of the 
left-hand side is more than 2. In fact, if 7?. = {tc — >■ c} such that w G 27“'" and 

|w| = n 2), we define M as follows: (l)-(3) are replaced by 

{ So c I So — tc } ••• (!') 

{ So -!> [pi • • • p„] g I So Pi • • • g G 5+ } • • • (2') 

{ bl ■ • ■ Pn] C \ Pi ^ Qi G A, w = ai- ■ ■ an } ■■■ (3') 

Rules in (5) are replaced by, e.g. 

[pi---pi---p„_ip„] [pi - ■ ■ qiq2 - ■ -Pn-ljPn 
ifl^i^n — 1 and pi -G qi q 2 in A. For p„ -G qi q 2 in A, 

[pi---Pn~lPn] [pi - ■ ■Pn-iqi]q 2 - 

Likewise, rules in (6) and (7) are modified. Using the general version of G' , we 
can show that {^k)[^{G) ] is a monotone language for 77. = { w — c }. 

Lemma 9. Given an A-TA Ajk and a ground TRS 77 = {f(a,b) — >■ c} over 
the same signature T with Tp^ = {f|, we can compute an A-TA that recognizes 

Proof. Suppose Ma = ~ {f}> Sj Qfin,A) is an s-TA associated with M/A. 

Without loss of generality, we assume that for all a — >■ p, 6 — >■ 9 G A with 
a,b & a ^ b implies p ^ q. Let o be a fresh symbol with o ^ .7^ U Q 
and W = {pq \ a— :^p, b— >-qG A}. We write — >-c for the binary relation 
induced by the string rewrite system (SRS for short) {w o \ w G W} over 
the language (Q U {o})’''. Similarly, — >■<> for the induced binary relation of the 
SRS {p ^ po I p G Q}. Define = (JG - {f}, Q', Q)j„, A') as follows: Q' = 
Q U {0} U {go I g G Q}, Q'fln = {qo\q & Qfin} and 

A' = Au(c-)>o} 

U { c — >• go I (AT) — >• g 4 = concat(X) \n L G A, L (IW ^ 0 } 

u { /(pi, • • • ,Pio) • • • iPn) <7o I /(pi, • • • ,Pi, ■ ■ ■ ,Pn) -G q G A } 

U { (X) — >• go 4= concat(A) in (— >-o)[L] | (X) q concat(A) in L G A } 

■ / Nrr/i (AT) -)> g <;= concat(A) in L G A 1 

U I (A) -)> go ^ concat(A) in (-:>c)[L ] V = L - IF | 

By Lemma 8, a monotone grammar generating (— >-c) [L' ] is computable. Further- 
more, for every (A) -G q <= concat(A) in L in A, a monotone grammar generat- 
ing (— >-o)[L] is computable. So it can be proved by the structural induction that 
the s-TA recognizes the sequence-term representation of {-^'pi//\)[C{A/ X)]. 

□ 
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^0 := A', i := 0; j := 0; 
S ;= pos(/); 

T ■- pos(r); 



while S ^ 0 do 

select p £ S such that $p' £ S. p' >~ p 
let Z|p = f{ti, and 

compute Ai+i/^ such that 

C{Ai+i/A) — ")- 

i := i + 1; 

S-S-{p}-, 
od 



•cf ] 



compute Bo/A such that 

£(Bo/A) = (^{cf^de}/A)[r(A/A)] 
while T ^ 0 do 

select q £ T such that $q' £ T. q>~ q' 
let r|q = /(ti, . . . ,tn) and 
compute Bj+i/A such that 

*- '^|q ^ *1 ’■■■’ *n ' 

j :=i + i; 

T-.= T-{q}-, 
od 

Bi_»r := Bj; 
return Bi^rjA 



Fig. 3. One-Step A-Rewrite Descendants for One-Rule Case 



Theorem 4. Given a ground A-TRS TZ/ A over the signature T with Tx = {f}: 
(1) For every A-TA AjA over the same signature T , we can compute an A-TA 
that recognizes f^)[L{A/ A)]. (2) In case that A is regular, we can compute 

a regular A-TA that recognizes {-^pi/f^[L{A/ A)]. 

Proof. For (1), let ? — >■ r be a rewrite rule in TZ. We define the ground TRS 
TZl^r = ^ I P G POS(0, l\p = f(tl,...,tn)} 

^ ^ • • • , C") I P S POSW, t-|p = 

It can be proved that for every s,t in T{T), s = C[l] and t = C[r] if and 
only if s C'[c^] and C[d^] t. Moreover, this statement is gen- 

eralized as follows: s ~a C[l] and t ~a C[r] if and only if s — 
and C[d^] — /a Using this fact, we define the procedure in Fig. 3. If 
the root symbol / of a decomposed rule /(ci, . . . , c„) — >■ c is an A-symbol, we 
know that the one-step A-rewrite descendants are effectively recognizable by 
Lemma 9; otherwise, the one-step A-rewrite descendants (— >- 7 ?,,^,,/a)[U] are the 
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same as A((— which has been noted by Dauchet and Tison [5]. Then 
the procedure is capable of computing an A-TA that recognizes the tree 

language 

Li^r = I i G T{T) I s G £(A/A), s — C'[d'] — ^ } ■ 

Since (— >- 7 ^/a) [/l(Al/A) ] = T/->-r and tree languages recognizable with A- 

TA are effectively closed under union, we can compute an A-TA that recognizes 

(-^7?,/a)[-^("4/A) ]. 

The second statement can be shown in a similar way. First we prove that 
context-free languages are closed under one-step string rewriting of { a b — >■ c }, 
that corresponds to Lemma 8. Then we apply the result to the A-tree case. In 
the construction of context-free grammars, we use different transition rules. The 
set of transition rules A' of Q' consists of (1), (3), (4) and the following rules: 

I ...(2') 






In this case, transition rules (6) and (7) in Lemma 8 are unnecessary. □ 



So 

So 

b?] 

bb 

bp] 

bp] 

p 



[pq]r 

p[qr\ 

bi P2] q 
Pi [P2 q] 
[qPi]P2 
q bi P2] 
P1P2 



p,q,r & S such that So pqr 



p ^ P1P2 € A, p^ So, qe S 



5 Concluding Remarks 

We have shown in this paper that A-tree languages recognizable with A-tree au- 
tomata are closed under boolean operations. The newly obtained closure prop- 
erty is a direct consequence of (1) complement closedness of monotone sequence- 
tree languages (Theorem 3), and (2) bijective correspondence between A-tree 
automata and sequence-tree automata (Theorem 1). The theorem is also helpful 
for simplifying the proof of undecidability of the emptiness problem for A-tree 
automata. The new framework introduced in Section 2, called sequence-tree au- 
tomata, enables us to have an easy proof of the complexity of the membership 
problem for A-tree languages (Corollary 1). 

In the previous section, we also showed that recognizable A-tree languages 
are closed under one-step ground A-rewrite descendants (Theorem 4). This al- 
lows us to provide an under- approximation algorithm for computing A-rewrite 
descendants of A-tree languages with arbitrary accuracy, which is useful in prac- 
tice, e.g. for infinite-state model checking [7]. 

In this paper, we introduced a special symbol ( ) for translating A-tree lan- 
guages of a singleton case. But, for many arbitrary associative symbols, the 
sequence-term model has to be allowed to contain more special symbols, e.g. 
( )i,...,( )„. More precisely, by modifying the definition of sequence-terms and 
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boolean closed 
& A-closed TL 



A-closnre of 
regular TL 

A-closed 

regular TL 



Fig. 4. Relationships in sequence-tree automata 



indexing the special symbol ( ) as above, Theorems 1-4 and Corollaries 1-2 can 
be extended to the general case. 

By restricting grammars in the conditional part of transition rules, as men- 
tioned already, we obtain the language hierarchy, which is illustrated in Fig. 4. 
The outermost square represents the class of sequence-tree languages recogniz- 
able with the context-sensitive s-TA. The second largest square is the class of 
context-free s-TA. Since it has the bijective correspondence to regular A-TA, the 
class in the usual term model is the same as the A-congruence closure of regular 
tree languages. The third largest square, i.e. the class of regular s-TA, is iden- 
tical to multi-tree automata for associativity axioms only [14]. This class and 
the class of CS s-TA are closed under boolean operations and the A-congruence 
relation. Furthermore, the third class is important in the following sense: 

Theorem 5. Given a ground A-TRS TZ/ f\ over the signature T with Tx = {f}, 
the set of normal forms with respect to TZ/A is effectively recognizable with regular 
A-TA. In the sequence-term model, the language is effectively recognizable with 
regular s-TA. 

Proof. Let ? — >■ r be a rewrite rule in TZ. We define an s-TA AAi^r that recognizes 
the sequence-term representation of the A-closure of terms C[l], where C is an 
arbitrary ground context: Mi^r = {iF — {f}, Q, Qfin, A) such that Q = { q } U 
{ q* I T G pos(05 t = l\p }) Qfin = { q/ } and A consists of the transition rules 

(A) — qj 4= concat(A) in {q^^- • • q^^} if t = Cffti, . . . ,tn] is an f-block of /, 

/(qti,---,qi„.) ^q* if t= f{ti,--.,tm) <l and /yff 

together with (X) — >• concat(A) in {re | ru = q*q;q* and \w\ ^2}, 

{X) — >■ q concat(A) in { w | re = q* and |rc| ^ 2 }, /(q, . . . , q^, . . . , q) — >• q; 
and /(q, . . . , q) — >■ q for all f G F — { f }. Observe that the membership test in 
each conditional rule can be represented by a regular grammar. Let Mn be an 
s-TA that recognizes ■ The (sequence-term representation of) 

set of normal forms of TZ/A is the complement of Determinizing AA-jz 
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with subset construction results in a regular s-TA and it is computable, 

because the conditional part of a transition rule of is represented as follows: 
concat(A) in C\i^i ~ ''^^ere Qi is a regular grammar for 

every i G (K U I). Therefore, the set of normal forms of TZ/A is effectively 
recognizable with regular A-TA. □ 

The larger dotted square in Fig. 4 denotes the class of regular tree languages. 
This square contains the subclass allowed to be A-closed (and thus, it is both 
regular and A-closed) . Since it can be shown that every regular and A-closed tree 
language is recognizable with regular A-TA, the innermost dotted square has no 
overlapping with the class of CS s-TA, i.e., there is no example that is regular, 
A-closed, and recognizable with A-TA, but not recognizable with regular A-TA. 
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Abstract. In this paper we present lower bounds and rewriting algo- 
rithms for testing membership of a word in a regular language described 
by an extended regular expression. Motivated by intuitions from moni- 
toring and testing, where the words to be tested (execution traces) are 
typically much longer than the size of the regular expressions (patterns 
or requirements), and by the fact that in many applications the traces 
are only available incrementally, on an event by event basis, our algo- 
rithms are based on an event-consumption idea: a just arrived event is 
“consumed” by the regular expression, i.e., the regular expression mod- 
ifies itself into another expression discarding the event. We present an 
exponential space lower bound for monitoring extended regular expres- 
sions and argue that the presented rewriting-based algorithms, besides 
their simplicity and elegance, are practical and almost as good as one can 
hope. We experimented with and evaluated our algorithms in Maude. 



1 Introduction 

Regular expressions represent a compact and useful technique to specify pat- 
terns in strings. There are programming and/or scripting languages, such as 
Perl, which are mostly based on efficient implementations of pattern matching 
via regular expressions. Extended regular expressions (ERA), which add com- 
plementation {-'R) to the usual union (i?i -|- R2), concatenation (i?i • R2), and 
repetition (R*) operators, make the description of regular languages more con- 
venient and more succinct. The membership problem for an extended regular 
expression R and a word w = aiQ2 ■■■ a„ is to decide whether w is in the regular 
language generated by R. The size of w is typically much larger than that of R. 

Due to their convenience in specifying patterns, regular expressions, and 
implicitly the membership problem, have many applications and not only in 
computer science. For example, [14] suggests interesting applications in molec- 
ular biology. Monitoring and testing are other interesting application areas for 
regular expressions, because the execution of physical processes or computer pro- 
grams can usually be abstracted by an external observer, or monitor, as a linear 
sequence of events. Since monitoring or testing of a process or program typically 
terminates after a period of time and a result of the monitoring/testing session 
is desired quickly, efficient implementations of the membership problem are of 
critical importance to these areas. Moreover, since monitoring sessions can be 
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quite long, sometimes days or weeks, algorithms which do not need to store the 
execution trace or equivalent size information are typically preferred. 

There has been some interest manifested recently in the software analysis 
community in using temporal logics in testing [9,10]. The Temporal Rover tool 
(TR) and its follower DB Rover [5] are already commercial; they are based on 
the idea of extending or instrumenting Java programs to enforce checking their 
execution trace against formulae expressed in temporal logics. The MaC tool 
[18] has developed its own language to express monitoring safety requirements, 
using an interval past time temporal logic at its core. In [21,20] various algo- 
rithms to generate testing automata from temporal logic formulae are described. 
Java PathExplorer [7] is a runtime verification environment under current de- 
velopment at NASA Ames, whose logical monitoring part consists of checking 
execution traces against formulae expressed in both future time and past time 
temporal logics. [6,8] present efficient algorithms for monitoring future time lin- 
ear temporal logic formulae, while [11] gives a method to synthesize efficient 
monitors from past time temporal formulae. An interesting aspect of linear tem- 
poral logics in the context of monitoring/testing, is that they specify patterns 
for the execution traces of the monitored processes, which can also be specified 
by extended regular expressions of comparable or sometimes smaller size. 

In this paper we focus on the membership problem for EREs. Previous work 
on the membership problem for regular expressions and their extensions [12,19,22,17], 
have focussed on developing dynamic programming or automata based algo- 
rithms that run in time that is polynomial in both the size of the regular expres- 
sion and the trace. These algorithms, however, suffer from a couple of drawbacks 
that make them unamenable as monitoring or testing algorithms. First, they are 
not incremental. They assume that the entire word is available when the algo- 
rithm is run. Second, the running time of these algorithms is at least quadratic 
in the size of the word. This is an unacceptably high overhead in monitoring and 
testing, because the word is usually enormous. 

We, instead, investigate the membership problem in a model that is more ap- 
propriate for the context of monitoring and testing. More precisely, we assume 
that the ERE R to monitor is given apriori, but the letters ai, 02 , ..., a„ forming 
the word w are received one by one, from the first (1) to the last (n). We often 
call the expression R a “requirement formula” and the letters in w “events” . We 
also assume that w is large enough that one does not want to store it for future 
processing; therefore, each event has to be processed as it arrives. For that rea- 
son, we interchangeably call this problem the “monitoring” or the “incremental 
membership” problem. We give an exponential space lower bound by showing 
that any monitoring algorithm for EREs uses space that is 17(2°'/™) in the size 
m of the ERE, for some fixed constant c. Then, inspired by a related technique 
in [8] for future time linear temporal logic, we give a simple exponential space 
rewriting algorithm which solves the incremental membership problem in space 
0(2™ ), thus giving an upper bound for the membership problem. In the end we 
give an improved version of the algorithm which we implemented and evaluated 
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using Maude, which performs much better than the proved upper bound, thus 
opening the door for further interesting research in this direction. 

Note that the simple-minded technique to first generate a nondeterministic 
(NFA) or a deterministic finite automaton (DFA) from the ERE and then to 
monitor against that NFA or DFA is not practical. This is because the size of 
the NFA or DFA can be non-elementarily larger than the initial regular ERE, be- 
cause negation involves an NFA-to-DFA translation, which implies an exponen- 
tial blow-up; since negations can be nested, the size of such NFAs or DFAs could 
be highly exponential. Even if one would succeed in storing such an immense 
automaton, say a DFA, monitoring against it would still be highly exponential 
because a transition in a DFA requires time logarithmic in the total number of 
states (the next state needs to be at least read and each state label/name needs 
at least a logarithmic number of bits). ERE to (perhaps alternating) automata 
effective translations may well be possible, and we believe they are, but the 
simplistic ones are clearly too inconvenient to be considered. 

2 Monitoring Extended Regular Expressions 

In this section we define extended regular expressions (ERE) and languages 
formally, and give an exponential space lower bound for monitoring ERE. 



2.1 Definitions 

Extended regular expressions (ERE) define languages by inductively applying 
union (-I-), concatenation (•), Kleene Closure (*), intersection (n), and comple- 
mentation (-i). More precisely, for an alphabet S, an ERE over S is defined as 
follows, where A G E: R ■.:= % \ e \ A \ R+R\R-R\R* ^R. 

The language defined by an expression R, denoted by C{R), is defined induc- 
tively as £( 0 ) = 0 , £(e) = {e}, C{A) = {A}, £(i?i -I- R2) = C{Ri) U £(i?2), 
£{Ri ■ R2) = {ici • ■1C2 I G E{Ri) and 1V2 G £(i?2)}, ^{R*) = (^(^))*> 
£{Ri n R2) = £{Ri) n C{R2), £{~'R) = E* \ C{R). Given an ERE, as defined 
above using union, concatenation, Kleene Closure, intersection and complemen- 
tation, one can translate it into an equivalent expression that does not have 
any intersection operation, by applying De Morgan’s Laws. The translation only 
results in a linear blowup in size. Therefore, in the rest of the paper we do not 
consider expressions containing intersection. More precisely, we only consider 
EREs of the form Rv= R+ R \ R- R \ R* \ ^R \ A \ e\%. 

2.2 Monitoring 

In this subsection we will show that any monitoring algorithm for extended 
regular expressions must use space that is exponential in the size of the regular 
expression describing the correctness property. We will give an example of a 
language for which a lot of information needs to be remembered in order for it 
to determine if a trace satisfies the property. 
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The language that will be used in proving the lower bound was first present 
in [3] to show the power of alternation. Since then this example also has been used 
to prove lower bounds on LTL model checking [15,16]. Consider the language 

Lk = I ic G {0, 1}^ and cr, a' G {0, 1, #}*}. 

We will first show that the above language can be described using an ERE 
of size 0{k^). We will then show that any monitoring algorithm must keep track 
of all strings over {0, 1} of length k that appear between # symbols before the 
$ in the trace, in order for it to decide membership in Lk- This will give us a 
space lower bound of 2^ for monitoring algorithms. 

Proposition 1. There is an ERE Rk such that L{Rk) = Lk and \Rk\ = 6>(fc^). 
Proof. The ERE will be a conjunction of the following two facts. 

(a) There is exactly one $ symbol in the trace, and 

(b) There is a # symbols after which there is a string of length k over {0, 1} 
before the next ff, such that for every i, the tth symbol after the ff is exactly 
the same as the ith symbol after the $. 

In other words, Rk is the following extended regular expression. 

Rk = (-$)*$(-$)* n 

k 

(0 + 1 + #)*#[ f | [((0 + l )' o(0 + + 1 + #)*$(0 + i )' o(o + 1 )'“-*-^) 

i =0 

+((o + 1)T(0 + + 1 + #)*$(o + 1)T(0 + 

Observe that \Rk\ = 6>(fc^). 

In order to prove the space lower bound, the following equivalence relation 
on strings over (0 + 1 + #)* is useful. For a string a G (0 + 1 + #)*, define 
'S'(o’) = {w G (0 + 1)^ I 3Ai, A 2 . \ 1 ffwff \2 = cr}. We will say that a\ =k 02 iff 
S'(cTi) = S'(ct 2 ). Now observe that the number of equivalence classes of =fc is 2^ ; 
this is because for any S' C (0 + 1)^, there is a cr such that S(ct) = S. We are 
now ready to prove the space lower bound. 

Theorem 1. Any ERE monitoring algorithm requires space 17(2"^'/™), where m 
is the size of the input ERE and c is some fixed constant. 

Proof. Since \Rk\ = 9{k'^) by Proposition 1, it follows that there is some constant 
c' such that |i?fc| < c'k"^ for all large enough k. Let c be the constant 
We will prove this lower bound result by contradiction. Suppose A is an ERE 
monitoring algorithm that uses less that 2°'/™ space for any EREs of large 
enough size m. We will look at the behavior of the algorithm A on inputs of the 
form Rk. So m = \Rk\ < c'fc^, and A uses less than 2^ space. Since the number 
of equivalence classes of =k is 2^ , by pigeon hole principle, there must be two 
strings CTi ^k <^2 such that the memory of A{Rk) after reading cti$ is the same as 
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the memory after reading (T 2 ^- In other words, A{R}^) will give the same answer 
on all inputs of the form (Ji$w and ct 2 $w. Now since a\ <72 , it follows that 
(5 '(cti) \ S'(ct 2 ) U (S'(ct 2 ) \ 5'((7i)) yf 0. Take w G (S'(cti) \ S{a 2 ) U (5'(ct2) \ >S'(cti)). 
Then clearly, exactly one out of (Ji$w and a 2 $w is in Lk, and so A{Rk) gives the 
wrong answer on one of these inputs. Therefore, A is not a correct. 



3 An Event Consuming Rewriting Algorithm 

In this section we introduce a rewriting-based monitoring procedure. It is based 
on an event consumption idea, in the sense that an extended regular expression 
R and an event a produce another extended regular expression, denoted i?{a}, 
with the property that for any trace w, aw G i? if and only if w G R{a}. 
The ERE R{a} is also known as a “derivative” of “residual” in the literature 
(see [2,1], where several interesting properties of derivatives are also presented). 
The intuition here is that in order to incrementally test for membership of an 
incoming sequence of events to a given ERE, one can “process” the events as they 
are available, by modifying accordingly the monitoring requirement expression. 

The rewriting systems in this paper are all considering that the operator _ 
is associative and commutative and that the operator _ is associative. In other 
words, rewriting is performed modulo the equations: 



(i?i H- R2) + = Ri + (i ?2 + Rs)^ 

R\ -\- R2 = R2 + Rii 
(i?i • R2) ■ R3 = Ri ■ (i ?2 ■ Rs)- 



3.1 Rewriting Rules 



We next consider an operation _{_} which takes an extended regular expres- 
sion and an event, and give seven rewriting rules which define its operational 
semantics recursively, on the structure of the regular expression: 



{Ri l?2){o} — ^ T R2{o,} 

(i?i • i? 2 ){o} — >■ (-Ri{a}) • 1?2 + if (e G Ri) then i? 2 {o} else 
(R*){a} ^ (i?{a}) • R* 

(-■i?){a} ^ -'(R{a}) 

b{a} — > if (6 = a) then e else 0 f i 
e{a} 0 
0{a} ^ 0 



( 1 ) 
fi (2) 

(3) 

(4) 

(5) 

(6) 
(7) 



The right-hand sides of these rules use operations which we describe next, 
“if (_) then _ else _ f i” takes a boolean term and two EREs as arguments and 
has the expected meaning defined by two rewriting rules: 



if (true) then Ri else i ?2 fi Ri 

if (false) then Ri else R 2 fi R 2 



( 8 ) 

(9) 
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We assume a set of rewriting rules that properly evaluate boolean expressions. 
Boolean expressions include the constants true and false, as well as the usual 
connectors - A _ V and not. Testing for empty trace membership (which is 
used by (2)) can be efficiently implemented via the following rewriting rules: 



e G (i?i -|- R 2 ) — >■ (e G Ri) V (e G R 2 ) 


(10) 


e G (i?i • R 2 ) — ^ (e G Ri) A (e G R 2 ) 


(11) 


e G (R*) -G true 


(12) 


6 G (“"R) — )■ notice G R) 


(13) 


e G 6 — >■ false 


(14) 


e G e — >■ true 


(15) 


e G 0 — >■ false 


(16) 



The 16 rules defined above are natural and intuitive. Since the memory of our 
monitoring algorithm will consist of an ERE and since our main consideration 
here is memory, we pay special attention to the size of an ERE. The following 
three rules keep the size of the ERE generated by the other rules small. For that 
reason, we call them “simplifying rules” . The latter may seem backwards at first 
sight. Its crucial role in maintaining EREs small will become clearer later: 

R+9^R (17) 

R+R^R (18) 

Ri • R R 2 ' R — {Ri ~t“ R 2 ) ■ (19) 

The sizes of the right-hand sides of these three rules are smaller (by at least 2) 
than their corresponding left-hand sides. 

Let TZ denote the rewriting system defined above. Some notions and notations 
are needed before we can state the important results. Let =c denote the congru- 
ence relation generated by the set C containing the three equations just before 
Subsection 3.1 (associativity of and and commutativity of --I--). Then the 
rewriting relation modulo C generated by the rules above, written -^TzjCi is the 
relation =c; — >- 7 ?,; =c> where semicolon denotes composition of binary relations 
and is the ordinary (non-AC) relation generated by TZ. We say that TZ is 
terminating modulo C if and only if -^n/c is terminating, and that it is ground 
Church-Rosser modulo C if and only if i® contained in 

on all ground terms (concrete EREs in our case). The typical technique to show 
termination modulo some equations is to define a weight function of terms, as- 
signing a natural number to each term, and then show that this map is invariant 
with respect to equations and decreasing with respect to the rewriting rules. 

Theorem 2. TZ is terminating and ground Church-Rosser modulo C; let 
nfiz/c(R) be the normal form of R in TZ modulo C. Furthermore, for a given 
extended regular expression R and a given event a, £(n/ 7 ^/(^(i?{a})) = {w \ 
aw € R}. 
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Proof. Let 7 be a function to natural numbers defined inductively as follows on 
terms of sort extended regular expression: 

7(i?{a}) = (7(i?) + l)^ 

7 (i?i + R 2 ) = 7 (i?i • R 2 ) = l{Ri) + i{R 2 ) + 1, 

7(i?*) = ihR) = i{R) + 1, 

7(6) = 7(e) = 7(0) = 1, 

and on terms of sort bool: 

y(eGi?) = 2 - 7 (i?), 

7(Si A B 2 ) = 7(^1 V B 2 ) = 7 (^ 1 ) + 7(-B2) + 1, 

"f{not{B)) = 7 (B) + 1, 

'y(true) = j{false) = 1 . 

Let us now define a binary relation on extended regular expression terms as 
Ry R' if and only if j{R) > ^{R')- It can easily be seen that is well-founded 
and that 7 (i?) = ^{R') for each associativity or commutativity equation R= R' 
in C. We claim that includes the rewriting relation K suffices to show 

that includes the relation —>- 7 ?,, which can be simply tested on each of the 
rewriting rules in R, above. For example, rule (2) can be tested as follows: 

7 ((i?i • 7?2){a}) > 7 ((i?i{a}) ■ R 2 + ±t (e G R\) then i? 2 {a} else 0 fi), iff 

( 7 ( 7 ?! • R-i) + 1)^ > 7 ((i?i{a}) • R 2 ) + 7 (if (e € Ri) then 7?2{a} else 0 f i) -|- 1, iff 
(7 (Ri) -h 7 (^ 2 ) -f 2)2 > (7(i?i) -h 1)2 + 7(i?2) -h 2 • 7 (Ri) + ( 7 (^ 2 ) + 1)" -f 3, iff 

2 • 7 (Ri) • 7(772) -f 7(772) > 1. 

For simplicity, assume that rule (5) is replaced by a finite set of rules b{a} — >■ 0 
for each different a, b in the alphabet and a{a} — >■ e for each a. We therefore can 
conclude that TZ is terminating modulo C. Due to space limitations, the Church- 
Rosser property of TZ modulo C will be shown elsewhere. However, since TZ is not 
left-linear (see rules (18) and (19)), one cannot apply the classical critical pair 
completion procedure by Huet in [13]. 

We next show that for any extended regular expression R and any event 
a, £(n/ 7 ^/( 7 (7?{a})) = {zc | aw € R}. First notice that for any two extended 
regular expressions (without containing the operation _{_}) R and R', it is the 
case that £(R) = B{R') whenever R -^n/c R'; this is because the rules (17), 
(18) and (19) in R and all the equations in C, the only which can be applied, are 
all valid properties of regular languages. In particular, £{R) = C{nf-^/ci^) 
any extended regular expression R. We can now start showing our main result 
inductively, on the structure of the extended regular expression: 

7^(”/t?,/c((7?i + 7?2){a})) = C{nfT^/c{Ri{a} + 772{a})) 

= ^{nfT^/c{Ri{a}) + n/7^/c(T?2{a})) 

= 71(n/7^/c(77i{a})) U £(n/7^/c(T?2{a})) 

= {w I aw G £(i?i)} U {w I aw € £(7?2)} 

= {w I aw G jC(Ri + 7?2)}- 

Before we continue, note that for any ground or concrete ERE R, the nor- 
mal form of e G 7? in 77 . modulo C is either true or false. Moreover, it fol- 
lows that n/ 7 ^/c(^ G 7?) = true if and only if e G 73(77), which implies that 
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(e € i?i) then i?2{a} else 0 fi) is either when e € 

£(Ri) or 0 when e ^ £(Ri). Then 

^nfT^/ci{Ri ■ R2){a})) = £(n/^/c((i?i{a}) • R 2 + 

if (e € i?i) then R2{a} else 0 f i)) 

= £(ri/7^/c(^/7t/c(-^i{®}) ■ ^2 + 

ti/tj /r(if (e G Ri) then i?2{o| else 0 f i))) 

= £(n/^/c(n/^/c(i?i{a})-i ?2 + 

”/7?,/c(-R2{a}))) when e G £(i?i), or 

'^(”/7t/c(”/7?,/c(-Ri{a}) ■ ^2 + 0 )) when e ^ £(i?i) 
= 'C(^/7t/c(-Ri{a})) • '^(■^ 2 ) U £(n/7^/c(i?2{a})) 
when e G £(i?i), or 

^(”/7?,/c(-Ri{a})) • ^(-^2) when e ^ £(i?i) 

= {w I aw G £(i?i)} • £(i?2) U {w I aw G £(i?2) 
when e G £(i?i), or 

{w I aw G c\Ri) ■ £(i?2) when e ^ £(i?i) 

= {w I aw G £(-Ri • -^2)}- 

Similarly, the inductive property follows for repetition and complement: 

■ R*)) 

= C{nfT^/c{R{a}) • R*) 

= L{nfT^,c{R{a})) ■ C{R*) 

= {w \ aw G R} ■ C{R*) 

= {w I aw G -R*}, 



and 

^{nfT^/c{{--R){a})) = C{nfT^/c{--{R{a}))) 

= i^hnfT^/c{R{o-})) 

= S*\C{nfT^/c{RW})) 

= E* \ {w I aw G R} 

= {w \ aw ^ R} 

= {w I aw G -iR}. 

The remaining proofs, when R is a singleton, e or 0 , are trivial. Thus we conclude 
that £(n/7^/g(R{a})) = {w | aw G R} for any extended regular expression R 
and any event a. 

From now on in the paper, we let R{a} also (ambiguously) denote the term 
nffi/c{R{a}), and consider that the rewrites in TZ modulo C are always applied 
automatically. 



3.2 The Algorithm 

We can now introduce our rewriting based algorithm for incrementally testing 
membership of words or traces to extended regular languages: 
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Algorithm A(i?, ai, fl 2 ) On) 

Input; An ERE R and events oi, 02 , a„ received incrementally 
Output; true if and only if aia 2 ---a« G false otherwise 

1. let R' be R 

2. let i be 1 

3. while i < n do 

4. wait until at is available 

5. let R' be nf-j^/(;{R'{ai}) 

6. if i?' = 0 then return false 

7. if R' = -'(0) then return true 

8. let i be i + 1 

9. return (e G R')\ calculated using TZ (modulo C or not) 

Therefore, a local ERE R' is updated after receiving each of the events at. 
If R! ever becomes empty (step 6) then, by Theorem 2, there is no way for the 
remaining events to make the whole trace into an accepting one, so the algorithm 
returns fail and the remaining events are not processed anymore. Similarly, if 
R' becomes the total language (step 7), then also by Theorem 2 it follows that 
any continuation will be accepted so the algorithm safely returns true. Step 8 
finally tests whether the empty word is in R' after all the events have been 
processed, which, by Theorem 2 again, tells whether the sequence aia 2 ...a„ is in 
the language of R. 

3.3 Analysis 

We will now show that the space and time requirements of our rewriting algo- 
rithm are not much worse than the lower bounds proved in the previous section. 
Our rewriting algorithm keeps track of one extended regular expression which it 
modifies every time it receives a new event from the trace. We will prove that 
the size of this regular expression is bounded, no matter how many events are 
processed, and this will give us the desired bounds. 

For an extended regular expression R, define the function size as follows; 

size(i?) = max |R{ai}{a 2 } • • • {on}! 

,0,2 1 • • •<3-n 

So size(i?) is the maximum size that R can grow to for any sequence of events. 
Proposition 2. max|fl.|^,„ size(i?) < 2™^. 

Proof. Before presenting a proof of the bounds, we introduce some notation 
that will be useful in the proof. For a regular expression R, we will denote by 
i?{oi}{a 2 } • • • {an} the regular expression (actually its normal form in TZ): 

7?{ai}{a2} • • • {an} + 7?{a2}{a3} • • • {««} H 7?{a„}. 

In addition, we define the following functions; 

size(R) = max„,ai.a 2 ....a„ |7?{ai}{a2} • • • {a„}|, 

diff(R) = max„^ai.a 2 ....a„ | {R{ai}{o»+i} ■ ■ ■ {an} | 1 < f < n}\, 

diff(i?) = max„^ai.a 2 ...a„ |{i?{oi}{ai+i} • • • {a„} | 1 < i < n}\. 
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So size(-R) measures the maximum size the expression R can grow to, diff(i?) 
measures the number of syntactically different terms in R, and finally diff(i?) is 
similar to diff(i?) but defined for R 

Using the above functions, we will be able to give bounds on the size of size, 
inductively. We first make some important observations regarding the expression 
|i?{ai}{a 2 } • • • {a„}| based on its form: 

|(i?i + i?2){ai} • • • {an}l = |i?i{ai} • • • {a„} + 7?2{ai} • • • {a„}| 

< |i?i{ai} • • • {a„}| + |i?2{ai} • • • {an}| + 1 

|(i?i • i?2){ai} • • • {an}| < |(7?i{ai} • • • {on}) • R 2 + R2{a„} H + i?2{ai} • • • {an}| 

— ■ ■ ■ {®n})l + 1 + IR 2 I + |R{ai} • • • {cn}| + 1 

|(i?t){ai} • • • {a4| < \ iRi{ai} ■ ■ ■ {a„} ) ■ 

= |i?l{ai} • • • {On}| + |Rl I + 1 

|(^i?i){ai} • • • {a„}l = • • • {a„})| 

= |Rl{fll} • • • {Cn}| + 1 

The only observation that needs some explanation is the one corresponding to 
R*. Observe that, • • • {a„} will get rewritten, in the worst case, as 

(i?i{ai} • • • {on}) • Ri + (i?i{a2} • • • {on}) ■ + • • • (i?i{an}) • Ri 

which after simplification using the rule (19) will be (i?i{ai} • • • {a„}) • R*. Note 

that, in making the above observations, we make use of the fact that TZ is ground 

Church-Rosser modulo C (see Theorem 2) . 

Based on these observations, we can give an inductive bound on size: 

size(i?i + R 2 ) < size(i?i) + size(i? 2 ) + 1, 
size(i?i • R 2 ) < size(i?i) + |i? 2 | +size(i? 2 ) +2, 
size(i?*) < size(i?i) + |i?*| + 1, 
size(-'i?i) < size(i?i) + 1. 

We are now ready to give bounds on size. Observe that: 

size(i?i + R 2 ) < size(i?i) + size(i? 2 ) + 1, 
size(i?i • R 2 ) < size(i?i) + |i? 2 | +size(i? 2 ) +2, 
size(i?*) < size(i?i) + |i?*| + 1, 
size(-'i?i) < diff(i?i) • size(i?i) + 2diff(i?i). 

The reasons for the above inequalities is similar to those for size. The only case 
that needs explanation is the one for Observe that (-■i?i){ai} • • • {a„} + 

(-■i?i){a 2 } • • • {an} H h (-'i?i){a„} is the same as -■(i?i{ai} • • • {a„}) H h 

-■(Rilan}). So based on how many of the terms • • • {a„} are different, 

we can bound size(-'i?i). 

Finally, we give the bounds on the function diff and diff based on a similar 
reasoning: 

diff(i?i + R 2 ) < diff(i?i) • diff(i?2), 
diff(i?i • R 2 ) < diff(i?i) • diff(i?2)5 
diff(i?t) < dlff(Ri), 
diff(-Ri) < diff(Ri). 
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To complete the analysis, observe that diff(i?) < 

If we take (max|^l^,„ diff(i?)) and (max|fl|^,„ diff(i?)) to be bounded by 2™, 
and (max|fl|^^ size(i?)) and (maxj^l^^ size(i?)) to be bounded by 2™ , then we 
see that all of the inequalities are satisfied. Hence the proposition follows. 



Theorem 3. The monitoring algorithm based on rewriting uses space 0(2^™ ) 
and time 0{n ■ 2^™ ); time is measured in number or rewriting steps. 

Proof. The space needed by the algorithm consists of the space needed to store 
the evolving ERE. By the proposition above, we know that, after simplification, 
such an ERE will never be larger than 0(2™ ), where m is the size of the initial 
ERE. However, before simplification, the stored ERE first suffers an increase in 
size. We claim that, regardless of the order in which rewrite rules are applied, 
the size of the intermediate term obtained by deriving a given ERE of size M 
will never grow larger than This is indeed true, because if one analyzes the 
rewriting rules which can increase the size of the term, namely rules (l)-(7) and 
(lO)-(ll), then one can see that the worst case scenario is given by a recurrence 
S{Mi + M 2 + 1) < S{Mi) + S{M 2 ) + Ml + M 2 + c, where c is some (small) 
constant; this recurrence implies S{M) = 0{M‘^). Therefore, the space needed 
by our rewriting algorithm is 0(2^™ ). 

The number of rewrites needed to process one event is also 0(2^™ ). Note 
first that the number of rewrites for a test e G i? is |i?|. Then one can easily give 
a recurrence for the number of rewrites to push an event to leaves; for example, 
in the case of concatenation this is N {{RiR 2 ){a}) < N{Ri) + |i?i| + N{R 2 ) + 1. 
Therefore, there are 0(2^™ ) applications of rules (1)-(16). Since each of the 
remaining rules, the simplifying ones, decrease the size of the term by 2 and 
the maximum size of the term is 0(2^™ ), it follows that the total number of 
rewrites needed to process an event is indeed 0(2^™ ). 

The above results can be improved if one considers only regular expressions, 
instead of extended regular expressions. Applying the same rewrite algorithm to 
expressions that do not have negations, we can use the very same analysis to 
observe that the rewrite algorithm uses space 0{mf) and running time 0{n-m?) 

Theorem 4. The monitoring algorithm based on rewriting, when applied to ex- 
pressions not containing any negation, use space 0{w?) and time 0{n ■ mf). 

4 Implementation, Evaluation and Conclusion 

We have implemented in Maude [4] several improved versions of the rewriting- 
based algorithm in Section 3. In this section we present an implementation which 
worked best on our test suits. Space/time analysis seems hard to do rigorously 
and is not given for this implementation, but the given experimental data sug- 
gest that the 0(2™ ) space upper bound proved in Subsection 3.3 is more of 
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a theoretical importance than practical. We hope to calculate the exact worst- 
case complexity of the next rewriting procedure soon, but for now are happy to 
present it as a procedure for monitoring extended regular expressions which per- 
forms very well in practice. The usual operations on extended regular expressions 
can be defined in a functional module (fmod . . . endfm) as follows: 

fmod ERE is 

sorts Event Ere . 
subsort Event < Ere . 

op _+_ : Ere Ere -> Ere [assoc comm prec 60] . 

op : Ere Ere -> Ere [assoc prec 50] . 

ops (_*) (~_) : Ere -> Ere . 

ops epsilon empty : -> Ere . 

endfm 

Precedences were given to some operators to avoid writing parentheses: the 
lower the precedence the tighter the binding. 

10 rules for e- membership and for simplifying extended regular expressions 
were given in Section 3 (rules (10)-(19)). These rules were shown to keep the 
size of any evolving extended regular expression lower than 0(2™ ), where m 
is its initial size. Driven by practical experiments, we have decided to define a 
partial ERE inclusion operator, called _in_, using 22 rewriting rules (some of 
them conditional) which correctly extends the needed (total) e-membership in 
Section 3. Together with other 10 simplifying rules, ERE inclusion is defined in 
the following module: 

fmod SYMPLIFY-ERE is including ERE 
vars R R’ R1 R2 Rl’ R2’ : Ere . 
eq empty R = empty . 
eq epsilon R = R . 
eq ~ ~ R = R . 
eq epsilon * = epsilon . 
ceq Rl + R2 = R2 if Rl in R2 . 

op _in_ : Ere Ere -> Bool . 

eq empty in R = true . eq epsilon in A = false . 

eq A in B = (A == B) . eq R in R = true . 

eq epsilon in (Rl + R2) = epsilon in Rl or epsilon in R2 . 
eq A in (Rl + R2) = A in Rl or A in R2 . 
ceq R in (Rl + R2) = true if R in Rl . 
eq (Rl + R2) in R = Rl in R and R2 in R . 

eq epsilon in (Rl R2) = epsilon in Rl and epsilon in R2 . 

eq A in (Rl R2) = 

A in Rl and epsilon in R2 or A in R2 and epsilon in Rl . 
ceq (Rl R2) in (Rl’ R2’) = true if (Rl in Rl ’ ) /\ (R2 in R2’) . 

eq epsilon in (R *) = true . 
ceq Rl in (R *) = true if Rl in R . 

ceq (Rl R2) in (R *) = true if (Rl in (R *)) /\ (R2 in (R *)) . 
eq R in (~ empty) = true . 



vars A B : Event . 
eq R empty = empty . 
eq R epsilon = R . 
eq R * * = R * . 
eq empty * = empty . 
eq Rl R + R2 R = (Rl + R2) R . 
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eq R in (~ epsilon) = not (epsilon in R) . 

eq R in (~ A) = not (A in R) . 

eq epsilon in (~ R) = not (epsilon in R) . 

eq A in (~ R) = not (A in R) . 

eq (~ R) in (~ R’) = R’ in R . 

eq R in empty = R == empty . 

eq R in epsilon = R == empty or R == epsilon . 
endfm 

The module above therefore adds 32 equational constraints to the EREs defined 
syntactically in the module ERE (included with the Maude keyword including). 
Maude executes these equations as (conditional) rewrite rules. The major sim- 
plifying rule in SIMPLIFY-ERE is the 5th on the left column, which properly gen- 
eralizes rule (18) in Section 3; this was the rule motivating the definition of the 
ERE partial inclusion. 

We can now define the event consuming operator, together with its 
associated seven rules (l)-(7) from Section 3: 

fmod CONSUME-EVENT is protecting SYMPLIFY-ERE . 
vars R1 R2 R : Ere . vars ABC: Event . 
op _{_} : Ere Event -> Ere [prec 45] . 
eq (R1 + R2){A} = RlfAf + R2{A}- . 
eq (R1 R2){A}- = 

RlfA} R2 + if (epsilon in Rl) then R2{A}- else empty fi . 
eq (R *){A} = RfAf (R *) . 
eq (~ R){A} = ~ (R{A» . 

eq B{A} = if B == A then epsilon else empty fi . 
eq epsilonfAf = empty . 
eq emptyfA} = empty . 
endfm 

The conditional operator if _then_else_f i, whose semantics was given by the 
rules (8)-(9) in Section 3, is part of the builtin BOOL module in Maude. 

One can now use the rewriting procedure above by either launching Maude 
reduce commands directly, such as: 

red (A(A + B)*)* {Af . 

red ((A + B)((C + A)* (A B *)*)*)* {A}- . 

red ((A + B)((C + A)* (A B *)*)*)* {Bf . 

red ((A + B)((C + A)* (A B *)*)*)* -[C> . 

which give the following expected answers. 



reduce in CONSUME-EVENT : (A (A + B) *) *{A> . 
rewrites: 14 in 0ms cpu (0ms real) (~ rewrites/second) 
result Ere: (A + B) * (A (A + B) *) * 



reduce in CONSUME-EVENT : ((A + B) ( (A + C) * (A B *) *) *) *{A}- . 
rewrites: 32 in 0ms cpu (0ms real) (~ rewrites/second) 
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result Ere: ((A + C) * (A B *) *) * ((A + B) ((A + C) * (A B 



reduce in CQNSUME-EVENT : ((A + B) ( (A + C) * (A B *) *) *) *{B> . 

rewrites: 32 in 0ms cpu (0ms real) (~ rewrites/second) 

result Ere: ((A + C) * (A B *) *) * ((A + B) ((A + C) * (A B *)*)*)* 



reduce in CQNSUME-EVENT : ((A + B) ( (A + C) * (A B *) *) *) *iC} . 
rewrites: 31 in 0ms cpu (0ms real) (~ rewrites/second) 
result Ere: empty 

or by calling it from a different place (procedure, thread, process) where the 
algorithm in Subsection 3.2 is implemented - it is worth mentioning that this 
algorithm can also be implemented directly in Maude, using its loop mode feature 
[4] which is specially designed to process events interactively. 

We have tested the event consuming procedure above on several extended 
regular expressions and several sequences of events, and the results were quite 
encouraging. We were not able to notice any measurable running time on mean- 
ingful formulae that one would want to enforce in real software monitoring ap- 
plications. In order to do proper worst-case measurements, we have implemented 
(also by rewriting in Maude) another procedure which takes as input a natural 
number m and does the following: 

1. Generates all extended regular expressions of size m over 0 and 1; 

2. For each such expression i?, it calculates the number size(i?) (see Subsection 
3.3) by exhaustively generating the set of all the extended regular expressions 
i?{ai}{a 2 } • • • {an} for all n and 01 , 02 , ...,o„ € (0, 1}; by Proposition 2, this 
set is finite; 

3. It returns the largest of size(i?) for all i? above. 

This algorithm is obviously very inefficient^. We were only able to run it for all 
TO < 12 in less than 24 hours, generating the following table: 



m 


1 2 3 4 5 6 7 8 9 10 11 12 


maxiJii^rn{size{R)) 


1 2 6 8 18 24 39 51 57 77 92 108 



Since the space requirements of our rewriting monitoring procedure is given 
by the size of the current formula, the table above gives us a measure of the 
space needed in the worst case by our rewriting algorithm. It shows for ex- 
ample that an extended regular expression of size 12, in the worst possible 
case grows to size 108, which is of course infinitely better than the upjDer 
bound that we were able to prove for the simplified algorithm, namely 2^^ = 
22,300,745,198,530,623,141,535,718,272,648,361,505,980,416. This tells us 
that there is plenty of room for further research in finding better rewriting based 
algorithms and better upper bounds for space requirements than the ones we 
were able to find in Section 3. The improved rewriting procedure presented in 
this section can be such a significantly better membership algorithm, but proving 
it seems to be hard. 

^ We are, however, happy to provide it on request. 
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It is worth mentioning that, even if one removes the auxiliary rewriting rules 
from the module above and keeps only the 19 rules presented in the previous 
section, the size of the evolving ERE still stays smaller that 2’”. This stimulates 
us to conclude with the following: 

Conjecture. The rewriting-based algorithm presented in Section 3 runs in space 
0(2’") and time 0(ri2’"), where m is the size of the ERE and n is the size of the 
event trace. Moreover, these are the lower hounds for the membership problem. 
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